Sametime Missing single sign on token
Thomas Hampel
2 September 2013I've just fixed an authentication issue in a customer environment and wanted to pass along the findings.
The problem:
Sametime users can log on to via username/password, but SingleSign On isnt working as expected.
On the client, the configuration pretty much looks like that:
Authentication via Domino SingleSignOn is working fine at the first Notes Client logon. Once the client disconnects, e.g. network disconnect, computer went on standby, etc. etc. the Notes client can no longer authenitcate with the server. The error message "Missing single sign on token" is displayed.
For now, clients had to restart the Notes Client to log back into Sametime.
Root cause:
After successful authentication, the server is handing out a token (LtpaToken) to the client which seems to be bound to the DNS domain specified in this token.
The Sametime community configured at the client must be in the same DNS zone, otherwise users can only log in once but not re-logon without restarting the client.
Solution:
Check the following three places and make sure the DNS domain specified is the same.
- The LtpaToken used by the server
see Domino Directory : Web Configurations\Web SSO Configuration\LtpaToken
- The Server document
- Basics \ Fully Qualified Internet Host name
- Internet Protocols \ HTTP \ Host Name
- Notes Client Preferences \ Sametime Communities
<< obviously this screenshot shows a different Domain name than the one specified in the LtpaToken
Remarks
- Without an authentication server specified, Notes will obtain the token directly from the Sametime server configured. If the token is obtained from an authentication server, the secret key within the token of course will have to match the token configured in your Sametime server.
- A complete list of settings that can be predefined within the Sametime client by using Domino policies is available here