SSO issue in AEM 63 after a recent upgrade from AEM61








Hi All,

Recently we have upgraded from AEM61 to AEM63 and started to face a new issue in SSO integration.

Problem Statement:

  1. We have an intranet site with OOTB LDAP Authentication configured.
  2. Additionally we have "Integrated Windows Authentication" enabled at the Apache + Kerberos level.
  3. "User ID" parameter will be passed by Kerberos to Dispatcher and then to AEM as a request header parameter to enable SSO. We have all the required SSO configurations in place.
  4. And we are referring this "User ID" value in our various component by picking it from the client context.
  5. Recently we noticed that in IE and Chrome, this user ID is being passed as session ID for few users (only in few times - inconsistently) and this is breaking our component logic. The same is working in Firefox now.
  6. Could see following lines in SSO logs (SSO logs are enabled upto DEBUG Level for the two packages - and com.adobe.granite.auth.sso):

27.08.2018 08:43:40.796 *DEBUG* [qtp2034268427-47241] login: requesting authentication using handler:

27.08.2018 08:43:40.802 *DEBUG* [qtp2034268427-46699] forceAuthentication: Not forcing authentication because request parameter sling:authRequestLogin is not set

27.08.2018 08:43:40.802 *DEBUG* [qtp2034268427-46699] getAuthenticationInfo: no handler could extract credentials; assuming anonymous

27.08.2018 08:43:40.803 *DEBUG* [qtp2034268427-46699] doHandleSecurity: No credentials in the request, anonymous

We were suspecting that Kerberos is not passing the value properly and for this reason we hard coded the "User ID" in the web server configuration file directly while setting the request header parameter, even then we were able to simulate the issue. Below is the snap which shows "User ID" (Visitor's ID by AEM) is holding a value of session ID, as the user ID is empty.


Below is what AEM does:


    CQ_Analytics.ClientContextMgr.prototype.getId = function() {

        var id = this.getVisitorId();

        if (!id) {

            return this.getSessionId();


        return id;


We are not able to get any clues why the User ID is empty from SSO logs, dispatcher log shows the actual user ID properly. Any pointers to trouble shoot further will be helpful.


Dinesh kumar L.