Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Query results for : September 2013

Sametime Missing single sign on token- 2 September 2013 - (1) Comments

Thomas Hampel
 2 September 2013

I've just fixed an authentication issue in a customer environment and wanted to pass along the findings.

The problem:
Sametime users can log on to via username/password, but SingleSign On isnt working as expected.
On the client, the configuration pretty much looks like that:
Image:Sametime Missing single sign on token

Authentication via Domino SingleSignOn is working fine at the first Notes Client logon. Once the client disconnects, e.g. network disconnect, computer went on standby, etc. etc. the Notes client can no longer authenitcate with the server. The error message "Missing single sign on token" is displayed.
Image:Sametime Missing single sign on token
For now, clients had to restart the Notes Client to log back into Sametime.

Root cause:
After successful authentication, the server is handing out a token (LtpaToken) to the client which seems to be bound to the DNS domain specified in this token.
The Sametime community configured at the client must be in the same DNS zone, otherwise users can only log in once but not re-logon without restarting the client.

Solution:
Check the following three places and make sure the DNS domain specified is the same.
  1. The LtpaToken used by the server
    see Domino Directory : Web Configurations\Web SSO Configuration\LtpaToken
    Image:Sametime Missing single sign on token
  2. The Server document
    - Basics \ Fully Qualified Internet Host name
    Image:Sametime Missing single sign on token

    - Internet Protocols \ HTTP \ Host Name
    Image:Sametime Missing single sign on token
  3. Notes Client Preferences \ Sametime Communities
    Image:Sametime Missing single sign on token<< obviously this screenshot shows a different Domain name than the one specified in the LtpaToken

Remarks
  • Without an authentication server specified, Notes will obtain the token directly from the Sametime server configured. If the token is obtained from an authentication server, the secret key within the token of course will have to match the token configured in your Sametime server.
  • A complete list of settings that can be predefined within the Sametime client by using Domino policies is available here
Thomas Hampel, All rights reserved.