Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Upcomming Trips

Social Networks

Popular Articles

Winmail.dat

Who am I?

Feeds

 Content
 Comments

Recent Entries

Microsoft requires DMARC
Balkonsolar - year two in
Bug: Mail routing and mai
Dezember 2024: AcceptIT A
Welcome Domino License An

Archives

April 2025 (1)
January 2025 (1)
December 2024 (1)
November 2024 (2)
October 2024 (2)
September 2024 (1)
July 2024 (1)
May 2024 (2)
April 2024 (3)
March 2024 (1)
February 2024 (2)
January 2024 (5)
December 2023 (3)
November 2023 (2)
October 2023 (1)
September 2023 (4)
June 2023 (1)
April 2023 (3)
March 2023 (1)
February 2023 (1)
July 2022 (1)
September 2021 (1)
August 2021 (2)
May 2021 (1)
February 2021 (3)
January 2021 (1)
November 2020 (1)
October 2020 (2)
September 2020 (2)
March 2020 (1)
November 2019 (1)
August 2019 (1)
July 2019 (1)
March 2019 (1)
December 2018 (1)
November 2018 (1)
October 2018 (1)
September 2018 (1)
May 2018 (1)
January 2018 (1)
December 2017 (1)
November 2017 (1)
September 2017 (1)
March 2017 (2)
February 2017 (5)
November 2016 (1)
September 2016 (4)
April 2016 (1)
March 2016 (7)
January 2016 (1)
December 2015 (1)
November 2015 (3)
August 2015 (1)
July 2015 (2)
June 2015 (5)
May 2015 (5)
March 2015 (3)
February 2015 (2)
January 2015 (4)
December 2014 (3)
November 2014 (1)
September 2014 (4)
August 2014 (1)
May 2014 (4)
April 2014 (1)
March 2014 (2)
February 2014 (3)
January 2014 (2)
October 2013 (1)
September 2013 (1)
August 2013 (2)
July 2013 (2)
March 2013 (2)
February 2013 (4)
January 2013 (3)
December 2012 (2)
November 2012 (1)
October 2012 (2)
September 2012 (4)
August 2012 (3)
July 2012 (1)
June 2012 (6)
May 2012 (1)
February 2012 (2)
January 2012 (1)
December 2011 (4)
November 2011 (2)
September 2011 (1)
May 2011 (2)
March 2011 (1)
January 2011 (1)
November 2010 (5)
October 2010 (2)
September 2010 (2)
August 2010 (1)
July 2010 (3)
June 2010 (1)

Sametime Missing single sign on token - again

Thomas Hampel
 23 March 2015
Once again a customer ran into an issue with Missing Single Sign On Token - I have blogged about it before

The Problem:
Initial authentication is working fine, but when disconnecting the network cable + reconnecting again, users see "Missing SingleSignOn Token", or authentication does not work at all without any error message.
The problem can be resolved by restarting the client. However, this is not an acceptable solution.

Analysis
As mentioned earlier, authentication via Domino SingleSignOn is working fine at the first Notes Client logon On the client, the configuration pretty much looks like that:
Image:Sametime Missing single sign on token - again

I've enable the following debug parameters as described here in the file rcpinstall.properties which is located in the folder workspace\.config\
com.ibm.rcp.accounts.level=FINEST
org.apache.commons.httpclient.level=FINE
com.ibm.workplace.internal.notes.security.auth.level=FINEST
com.lotus.sametime.community.level=FINEST
com.ibm.collaboration.realtime.community.level=FINEST
com.ibm.collaboration.realtime.im.community.level=FINEST
com.ibm.collaboration.realtime.login.level=FINEST
com.ibm.rcp.internal.security.auth.module.level=FINEST
com.ibm.rcp.internal.security.level=FINEST
com.ibm.rcp.security.level=FINEST


Restarted the Notes client and started testing to reproduce the problem. Looking at the error log
Within the error log file of the client which is located in \workspace\logs\error-log-0.xml ) this error caught my attention => CWPST0306W: An exception occurred while invoking the target method login.
Further down in the log there is even more information about this exception.


             javax.security.auth.login.LoginException: Server Unavailable.
	at com.ibm.workplace.internal.notes.security.auth.LtpaLoginModule.login(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at com.ibm.rcp.security.auth.ExtLoginModuleProxy.invokeImpl(Unknown Source)
	at com.ibm.rcp.internal.security.AbstractProxy.invoke(Unknown Source)
	at com.sun.proxy.$Proxy0.login(Unknown Source)
	at com.ibm.rcp.security.auth.ExtLoginModuleProxy.login(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
             
	at java.lang.reflect.Method.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.access$000(Unknown Source)
	at javax.security.auth.login.LoginContext$4.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Unknown Source)
	at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
	at javax.security.auth.login.LoginContext.login(Unknown Source)
	at com.ibm.rcp.security.auth.service.AbstractLoginService.login(Unknown Source)
	at com.ibm.rcp.accounts.internal.AccountsLoginContextServiceImpl.login(Unknown Source)
	at com.ibm.workplace.internal.notes.security.auth.DominoLtpaToken.destroy(Unknown Source)
	at com.ibm.rcp.accounts.internal.auth.module.Utils.destroyTokens(Unknown Source)
	at com.ibm.rcp.accounts.internal.AccountsManagerImpl.clearCredentials(Unknown Sour
             ce)
	at com.ibm.rcp.accounts.internal.AccountsManagerImpl.updateAccount(Unknown Source)
	at com.ibm.collaboration.realtime.im.community.accountstore.internal.CommunityAdapter.updateAccount(Unknown Source)
	at com.ibm.collaboration.realtime.im.community.accountstore.internal.CommunityAdapter.handleCommunityUpdate(Unknown Source)
	at com.ibm.collaboration.realtime.im.community.accountstore.internal.CommunityAdapter.handleCommunityLifecycleEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityListenerProxy.delegateCommunityEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityListenerProxy.handleCommunityEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityListenerProxy.handleCommunityLifecycleEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityMgr.notifyCommunityListeners(Unknown Sourc
             e)
	at com.ibm.collaboration.realtime.community.internal.CommunityMgr.updateCommunity(Unknown Source)
	at com.ibm.collaboration.realtime.login.LoginMgr.updateCommunity(Unknown Source)
	at com.ibm.collaboration.realtime.login.LoginMgr.handleLoginSuccess(Unknown Source)
	at com.ibm.collaboration.realtime.login.LoginMgr.access$0(Unknown Source)
	at com.ibm.collaboration.realtime.login.LoginMgr$LoginAdapter.handleLoginEvent(Unknown Source)
	at com.ibm.collaboration.realtime.login.internal.CommunityLoginService.notifyLoginListeners(Unknown Source)
	at com.ibm.collaboration.realtime.login.internal.CommunityLoginService.handleLoginSucceeded(Unknown Source)
	at com.ibm.collaboration.realtime.login.internal.CommunityLoginService.handleCommunityLoginEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityImpl.notifyListener(Unknown Source)
	at com.ibm.collaboratio
             n.realtime.community.internal.CommunityImpl.notifyListeners(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityImpl$1.run(Unknown Source)
	at org.eclipse.core.internal.jobs.Worker.run(Unknown Source)

     


Solution
It seems like the LtpaToken requires an hierarchical name of a server in order to be validated correctly. This can be done either by specifying the hierarchical name in the field "Host server" of your connection preferences, but doing so willl show an alert that you should use a fully qualified DNS name in this field.

So better put the hierarchical name in the Authentication server field as shown here:
Image:Sametime Missing single sign on token - again
This can be any server which shares the same LtpaToken with the Sametime server, of course you can also specifiy the Domino name of the Sametime server here.

How to deploy this setting automatically?
Within the managed community settings the parameter "authServerUrl" is used for this setting.

You can use a Desktop Policy setting to push this configuration setting down to all your clients. In the Managed Settings section, just add the following:
Item : authServerUrl
Value : hierarchical name of your Domino server, e.g. DominoServer/OU/Org
Plug-in name : com.ibm.collaboration.realtime.community
Image:Sametime Missing single sign on token - again

And you're done :)

Remarks
Comments [3]
Tagged with: Error Sametime
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.