Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Previous Document Next Document

Sametime Missing single sign on token - again

Thomas Hampel
 23 March 2015

Once again a customer ran into an issue with Missing Single Sign On Token - I have blogged about it before

The Problem:

Initial authentication is working fine, but when disconnecting the network cable + reconnecting again, users see "Missing SingleSignOn Token", or authentication does not work at all without any error message.
The problem can be resolved by restarting the client. However, this is not an acceptable solution.

Analysis

As mentioned earlier, authentication via Domino SingleSignOn is working fine at the first Notes Client logon On the client, the configuration pretty much looks like that:
Image:Sametime Missing single sign on token - again

I've enable the following debug parameters as described here in the file rcpinstall.properties which is located in the folder workspace\.config\
com.ibm.rcp.accounts.level=FINEST
org.apache.commons.httpclient.level=FINE
com.ibm.workplace.internal.notes.security.auth.level=FINEST
com.lotus.sametime.community.level=FINEST
com.ibm.collaboration.realtime.community.level=FINEST
com.ibm.collaboration.realtime.im.community.level=FINEST
com.ibm.collaboration.realtime.login.level=FINEST
com.ibm.rcp.internal.security.auth.module.level=FINEST
com.ibm.rcp.internal.security.level=FINEST
com.ibm.rcp.security.level=FINEST


Restarted the Notes client and started testing to reproduce the problem. Looking at the error log
Within the error log file of the client which is located in \workspace\logs\error-log-0.xml ) this error caught my attention => CWPST0306W: An exception occurred while invoking the target method login.
Further down in the log there is even more information about this exception.


             javax.security.auth.login.LoginException: Server Unavailable.
	at com.ibm.workplace.internal.notes.security.auth.LtpaLoginModule.login(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at com.ibm.rcp.security.auth.ExtLoginModuleProxy.invokeImpl(Unknown Source)
	at com.ibm.rcp.internal.security.AbstractProxy.invoke(Unknown Source)
	at com.sun.proxy.$Proxy0.login(Unknown Source)
	at com.ibm.rcp.security.auth.ExtLoginModuleProxy.login(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
             
	at java.lang.reflect.Method.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.access$000(Unknown Source)
	at javax.security.auth.login.LoginContext$4.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Unknown Source)
	at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
	at javax.security.auth.login.LoginContext.login(Unknown Source)
	at com.ibm.rcp.security.auth.service.AbstractLoginService.login(Unknown Source)
	at com.ibm.rcp.accounts.internal.AccountsLoginContextServiceImpl.login(Unknown Source)
	at com.ibm.workplace.internal.notes.security.auth.DominoLtpaToken.destroy(Unknown Source)
	at com.ibm.rcp.accounts.internal.auth.module.Utils.destroyTokens(Unknown Source)
	at com.ibm.rcp.accounts.internal.AccountsManagerImpl.clearCredentials(Unknown Sour
             ce)
	at com.ibm.rcp.accounts.internal.AccountsManagerImpl.updateAccount(Unknown Source)
	at com.ibm.collaboration.realtime.im.community.accountstore.internal.CommunityAdapter.updateAccount(Unknown Source)
	at com.ibm.collaboration.realtime.im.community.accountstore.internal.CommunityAdapter.handleCommunityUpdate(Unknown Source)
	at com.ibm.collaboration.realtime.im.community.accountstore.internal.CommunityAdapter.handleCommunityLifecycleEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityListenerProxy.delegateCommunityEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityListenerProxy.handleCommunityEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityListenerProxy.handleCommunityLifecycleEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityMgr.notifyCommunityListeners(Unknown Sourc
             e)
	at com.ibm.collaboration.realtime.community.internal.CommunityMgr.updateCommunity(Unknown Source)
	at com.ibm.collaboration.realtime.login.LoginMgr.updateCommunity(Unknown Source)
	at com.ibm.collaboration.realtime.login.LoginMgr.handleLoginSuccess(Unknown Source)
	at com.ibm.collaboration.realtime.login.LoginMgr.access$0(Unknown Source)
	at com.ibm.collaboration.realtime.login.LoginMgr$LoginAdapter.handleLoginEvent(Unknown Source)
	at com.ibm.collaboration.realtime.login.internal.CommunityLoginService.notifyLoginListeners(Unknown Source)
	at com.ibm.collaboration.realtime.login.internal.CommunityLoginService.handleLoginSucceeded(Unknown Source)
	at com.ibm.collaboration.realtime.login.internal.CommunityLoginService.handleCommunityLoginEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityImpl.notifyListener(Unknown Source)
	at com.ibm.collaboratio
             n.realtime.community.internal.CommunityImpl.notifyListeners(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityImpl$1.run(Unknown Source)
	at org.eclipse.core.internal.jobs.Worker.run(Unknown Source)

     



Solution

It seems like the LtpaToken requires an hierarchical name of a server in order to be validated correctly. This can be done either by specifying the hierarchical name in the field "Host server" of your connection preferences, but doing so willl show an alert that you should use a fully qualified DNS name in this field.

So better put the hierarchical name in the Authentication server field as shown here:
Image:Sametime Missing single sign on token - again
This can be any server which shares the same LtpaToken with the Sametime server, of course you can also specifiy the Domino name of the Sametime server here.

How to deploy this setting automatically?

Within the managed community settings the parameter "authServerUrl" is used for this setting.

You can use a Desktop Policy setting to push this configuration setting down to all your clients. In the Managed Settings section, just add the following:
Item : authServerUrl
Value : hierarchical name of your Domino server, e.g. DominoServer/OU/Org
Plug-in name : com.ibm.collaboration.realtime.community
Image:Sametime Missing single sign on token - again

And you're done :)

Remarks
Tagged with: Error Sametime
Comments

1.) Untitled

Craig Wiseman http://www.Wiseman.La/cpw 23/03/2015 12:27:01

Thanks for this! An example of how to do this kind of post.

While I've never seen this specific issue, the post still helps me by telling me how to turn on ST logging and how to properly set the Authentication server both manually and via policy.

2.) Untitled

Ron http:// 25/03/2015 15:28:02

Is useAuthServer=true setting should also be pushed ?

Thanks

3.) Untitled

Thomas Hampel www.thomashampel.com 27/03/2015 23:19:52

True, in our case this parameter was being pushed already.

Thomas Hampel, All rights reserved.