Express (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Select a registry or repository > Manage realms in a federated repository > Virtual member manager > Troubleshoot and Support > Support issues and limitations > Authentication issues and limitations


Multiple entities with the same principal name

Follow these steps to troubleshoot when the error, “multiple principals were found” is displayed during login.


Problem

An exception similar to the following example occurs: 

00000014 exception
    1 com.ibm.ws.wim.registry.util.UniqueIdBridge getUniqueUserId
CWWIM4538E Multiple principals were found for the 'wimadmin' principal name.
00000014 exception
    1com.ibm.ws.wim.registry.util.UniqueIdBridge
getUniqueUserIdcom.ibm.websphere.wim.exception.EntityNotFoundException:
CWWIM4538E  Multiple principals were found for the 'wimadmin' principal name.
at com.ibm.ws.wim.registry.util.UniqueIdBridge.getUniqueUserId(UniqueIdBridge.java:168)

In this example, the virtual member manager trace shows that there are two entities with the same principal name, wimadmin, which are returned by the search() API. This causes the exception to occur. 

uniqueName="uid=wimadmin,o=defaultWIMFileBasedRealm"
uniqueName="CN=wimadmin,OU=US,DC=COM

Also, in this example, the same name is assigned to primaryAdminId in the security.xml file, as shown here. This causes the “multiple principals” exception to occur during login. The following example is broken into multiple lines for illustration purposes only. 

<userRegistries
xmi:type="security:WIMUserRegistry"
xmi:id="WIMUserRegistry_1"
serverId="wimadmin"
serverPassword="{xor}****************"
realm="WIMREALM"
ignoreCase="true"
useRegistryServerId="false"
primaryAdminId="wimadmin"
registryClassName="com.ibm.ws.wim.registry.WIMUserRegistry"/>


Solution

Virtual member manager does not allow you to use the same user ID more than once in a realm. For example, you cannot have the same user ID in different LDAP directories, even under different organizational structures. Hence, the user ID must be unique across the different repositories.

Consider a scenario where the primary admin user with the same name wimadmin, exists in a file repository and an LDAP repository. Use the console and follow these steps to remove the duplicate entry from the file repository.

  1. Log in with a valid user ID. A user ID is valid if it exists in this repository and there is no duplicate entry for this user ID.

  2. Create a user ID in the file repository called wimadmin2.

  3. Use the Administrative user roles page to add the user ID, wimadmin2, to the WAS administrator role.

  4. Use the Federated repositories configuration page to add the LDAP repository and base entry to the realm.

  5. Restart the server.
  6. Log in to WAS with the user ID, wimadmin2.

  7. Use the Manage Users page to delete the user ID named wimadmin from the file repository.
  8. Log out.
  9. Log in with the user ID wimadmin from the LDAP repository.

Each repository now has a unique primaryAdminID.

Parent topic: Authentication issues and limitations


+

Search Tips   |   Advanced Search