Adobe Experience Manager Sites & More

this-that-the-otter · 4/15/25

We're hoping to run AEM under Java 11 but our SAML login and the internal (/libs/granite/core/content/login.html) login no longer work after updating the JVM (and still doesn't work when moving back to Java 1.8).

The error I see for internal login is:

User name and password do not match.

For SAML, the process stalls on the IdP - never redirecting back to AEM.

Interestingly, I can login to the AEM publish instance via the internal (/libs/granite/core/content/login.html) after switching it to JVM 11.

Here are some steps I've taken:

Initially, we tried deploying code compiled with Java 11 (but targeted to 1.8) to run on an AEM instance running under Java 1.8 - the new code did not start.

At some point we needed to delete a "repoinit" folder on author and publish to successfully start AEM (after deploying the Java 11 built code).

To run AEM under Java 11 - the following was added to sling.properties org.osgi.framework.bootdelegation:

jdk.internal.reflect,jdk.internal.reflect.*

I have since deleted repo.lock and cache.lock files, deleted the index folder, and deleted checkpoints, compacted tar files, and am rebuilding the indexes - still I cannot login, the indexes haven't been completely rebuilt yet.

I recall in the past Adobe had a password reset package the could be placed in the install folder, but also recall it stopped working at some point.

There don't look to be many things in the log files about this, on the SAML login attempt there is this:

15.04.2025 13:59:23.543 *INFO* [qtp1693777205-57] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
15.04.2025 13:59:23.553 *WARN* [qtp1693777205-57] org.apache.sling.auth.core.AuthUtil isRedirectValid: Redirect target must not be empty or null
15.04.2025 13:59:23.616 *INFO* [qtp1693777205-62] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
15.04.2025 13:59:23.626 *WARN* [qtp1693777205-62] org.apache.sling.auth.core.AuthUtil isRedirectValid: Redirect target must not be empty or null

Can someone recommend any other things we might try to recover access?

Thanks!

AmitVishwakarma · 5/28/25

Hi @this-that-the-otter ,

AEM 6.5+ does support Java 11, but only after SP6.5.4.0 and higher. The symptoms you describe login failures, SAML redirect issues, and internal password mismatches often stem from:

- Incompatible bundles (compiled for Java 😎

- Improper bootdelegation or JVM flags

- Corrupt Oak indexes or repoinit mismatches

- Missing Crypto keys (common if author repo was copied from publish or wiped)

Try below steps:

Step 1: Verify AEM Compatibility

Ensure you are on AEM 6.5.4.0 or higher.

Run this in your terminal:

curl -u admin:admin http://localhost:4502/system/console/status-productinfo

If not on SP6.5.4+, upgrade immediately before using Java 11.
You can download latest Service Packs from: Adobe Software Distribution

Step 2: Restore Internal Login Access with Password Reset Package

Adobe’s built-in admin reset package was deprecated, but there’s a manual method that works reliably.

Option A: Add an Emergency Admin User via repo-init

Create a file named reset-user.config with the following content:

# Add emergency user and grant full admin rights
create user emergency-admin with password "admin123"
add primarytype rep:User to emergency-admin
add to group administrators emergency-admin

Place it inside:

<your-AEM-path>/crx-quickstart/install/reset-user.config

Start AEM it will create a new user:
Username: emergency-admin
Password: admin123

Remove the file after first login to avoid security risks.

Step 3: Reset Crypto Keys (if password still fails)

Passwords in AEM are encrypted using CryptoSupport keys stored under:

crx-quickstart/launchpad/felix/bundle*/data

If your repo was migrated or cleaned:

Passwords won’t decrypt correctly, hence the "username and password do not match" error.

Fix:

Stop AEM.

Go to crx-quickstart and delete:

repository/

launchpad/felix/bundle*/data

Restart AEM clean.

Reset admin password using repo-init as shown above.

Step 4: Fix SAML Redirect Issue

The error:

AuthUtil isRedirectValid: Redirect target must not be empty or null

Means AEM doesn't know where to return after SAML login. Fix this by:

Configure valid redirect URL:

Go to: /system/console/configMgr/com.adobe.granite.auth.saml.SamlAuthenticationHandler

Set:

Default Redirect URL => /aem/start.html or your homepage

IDP Redirect URL => your actual IdP endpoint

Ensure anonymous access is not completely disabled if you use SAML for login-only users

Step 5: Java 11-Specific JVM Options

Update your start script to include:

-Djdk.util.zip.disableZip64ExtraFieldValidation=true \
-XX:+UseG1GC \
-XX:+UnlockExperimentalVMOptions \
-XX:+UseCGroupMemoryLimitForHeap \

And in sling.properties:

org.osgi.framework.bootdelegation=sun.*,com.sun.*,jdk.internal.reflect,jdk.internal.reflect.*

Regards,
Amit

Adobe Experience Manager Sites & More

Cannot Login to AEM Author after updating to Java 11

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe