If you are deploying a Distributed Authentication UI server, the Distributed Authentication administrator should not be amadmin. The default Distributed Authentication Application User in the Makefile.distAuthUI file is amadmin and subsequently in the AMConfig.properties file after the distAuth.war file is deployed on the client side. The amadmin user has an AppSSOToken that expires after the amadmin session time runs out, which can cause a FATAL ERROR in the amSecurity log file (located by default in the /tmp/distAuth directory).
Workaround. Specify UrlAccessAgent as the Distributed Authentication Application User. For example:
Before deploying the distAuth.war file in the client Web container, change the following parameters in the Makefile.distAuthUI file:
APPLICATION_USERNAME=UrlAccessAgent APPLICATION_PASSWORD=shared-secret-password or amldapuser-password
or
After deploying the distAuth.war file in the client Web container, change the following properties in the AMConfig.properties file for each Access Manager server:
com.sun.identity.agents.app.username=UrlAccessAgent com.iplanet.am.service.password=shared-secret-password or amldapuser-password
See also CR# 6440697: Distributed Authentication should run as non-amadmin user.