I tested this scenario with Tomcat's LoginCommand implementation and it works as expected. On the client, I call remoteObject.logout() and I see the following in debug logs on the server which tells me that the server gets the logout command message:

[BlazeDS] [DEBUG] [Message.Command.logout] Executed command: service=authenticat
ion-service
  commandMessage: Flex Message (flex.messaging.messages.CommandMessage)
    operation = logout
    clientId = 73EA16CE-4E0A-A11B-5566-00DF8ABEFC28
    correlationId =
    destination =
    messageId = B2368423-BFAC-7CE5-D8E8-C2EF3DFF664F
    timestamp = 1205861301806
    timeToLive = 0
    body = {}
    hdr(DSEndpoint) = my-amf
    hdr(DSId) = 73E9FEA8-AA0F-4CDF-21EE-71AA71AA9491
  replyMessage: Flex Message (flex.messaging.messages.AcknowledgeMessage)
    clientId = 73EA16CE-4E0A-A11B-5566-00DF8ABEFC28
    correlationId = B2368423-BFAC-7CE5-D8E8-C2EF3DFF664F
    destination = null
    messageId = 73EA16F5-5E0A-841A-476B-4D23CA679A4F
    timestamp = 1205861301822
    timeToLive = 0
    body = success

On the server, I put a breakpoint in LoginManager.logout and TomcatLoginCommand.logout and both methods got hit respectively. So logout is definitely sent from the client to the server and server definitely processes that logout command.

The only thing I can think of is that maybe customer's LoginCommand implementation is not doing something right? So I need more information from the customer for their use case.

Assigning to customer for more information on their use case. Specifically, need more information on their LoginCommand implementation.

When I changed:
var ro:RemoteObject = new RemoteObject();
ro.destination = "ILoginService";
ro.logout();

to:
var ro:RemoteObject = new RemoteObject();
ro.destination = "ILoginService";
if (ro.channelSet == null){
          ro.channelSet = ServerConfig.getChannelSet(ro.destination);
}
var token:AsyncToken = ro.channelSet.logout();
token.addResponder(new AsyncResponder(
    onLogoutSuccess,
    onLogoutFault
));

Then the LoginCommand.logout() method was invoked as desired.

My LoginCommand implementation is very basic (listed below), but the logout() method was NOT invoked when calling it on a RemoteObject using the above code; After changing to ChannelSet.logout(), it is properly invoked.
Thanks
Tyson

public class LoginCommand implements flex.messaging.security.LoginCommand {
  private static final Log log = LogFactory.getLog(LoginCommand.class);
  private static IAccessManager accessManager = null;
  /**
   * @see http://livedocs.adobe.com/livecycle/es/sdkHelp/programmer/lcdsjavadoc/flex/messaging/security/LoginCommand.html#doAuthentication(java.lang.String,%20java.lang.Object)
   */
  public Principal doAuthentication(String username, Object credentials) {
    String password = (String)credentials;
    Principal principal = accessManager.doAuthenticate(username, password);
    if( principal != null ) {
        FlexContext.setUserPrincipal(principal);
    }
    log.info("authenticating user:" + username);
    return principal;
    //return new MLPrincipal(username);
  }

  public boolean doAuthorization(Principal principal, List roles) {
    log.info("AUTHORIZING user:" + principal.getName());
    //need a way to authorize a particular method that is currently being requested?
    //this method typically operates on a per-service granularity, so all operations hosted by a particular
    //destination have the same authorization rules.
    return true;
  }

  public boolean logout(Principal principal) {
    log.info("logging out user:" + principal.getName());
    
    return true;
  }

  public void start(ServletConfig servletConfig) {
    // TODO Auto-generated method stub
    log.info("starting LoginCommand...");
  }

  public void stop() {
    // TODO Auto-generated method stub

  }
  public class MLPrincipal implements Principal{
    private String name;
    public MLPrincipal(String name){
      this.name = name;
    }
    public String getName() {
      return name;
    }
    
  }
    
    public static void setAccessManager(IAccessManager accessMgr) {
        accessManager = accessMgr;
    }
}

This is the expected "legacy" behavior of RemoteObject.logout. ChannelSet.login/logout is the right way of authenticating and when you use RemoteObject.logout, it eventually goes to ChannelSet.logout according to the ASDoc comment from ChannelSet class:

     * Legacy behavior only sends a logout request to the server if the client is connected
     * and authenticated.
     * If these conditions are not met the legacy behavior for this method is to do nothing other
     * than clear any credentials that have been cached for use in automatic reconnects.

In this case, that particular RemoteObject instance was not connected, so calling RemoteObject.logout would not do anything.

However, we need to update ASDocs for RemoteObject, Producer, Consumer, etc. to indicate that ChannelSet.login/logout() is the preferred way now.

Changing severity to "Conflicts with Documentation"

doc issue