Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Previous Document Next Document

Sametime Missing single sign on token

Thomas Hampel
 2 September 2013

I've just fixed an authentication issue in a customer environment and wanted to pass along the findings.

The problem:
Sametime users can log on to via username/password, but SingleSign On isnt working as expected.
On the client, the configuration pretty much looks like that:
Image:Sametime Missing single sign on token

Authentication via Domino SingleSignOn is working fine at the first Notes Client logon. Once the client disconnects, e.g. network disconnect, computer went on standby, etc. etc. the Notes client can no longer authenitcate with the server. The error message "Missing single sign on token" is displayed.
Image:Sametime Missing single sign on token
For now, clients had to restart the Notes Client to log back into Sametime.

Root cause:
After successful authentication, the server is handing out a token (LtpaToken) to the client which seems to be bound to the DNS domain specified in this token.
The Sametime community configured at the client must be in the same DNS zone, otherwise users can only log in once but not re-logon without restarting the client.

Solution:
Check the following three places and make sure the DNS domain specified is the same.
  1. The LtpaToken used by the server
    see Domino Directory : Web Configurations\Web SSO Configuration\LtpaToken
    Image:Sametime Missing single sign on token
  2. The Server document
    - Basics \ Fully Qualified Internet Host name
    Image:Sametime Missing single sign on token

    - Internet Protocols \ HTTP \ Host Name
    Image:Sametime Missing single sign on token
  3. Notes Client Preferences \ Sametime Communities
    Image:Sametime Missing single sign on token<< obviously this screenshot shows a different Domain name than the one specified in the LtpaToken

Remarks
  • Without an authentication server specified, Notes will obtain the token directly from the Sametime server configured. If the token is obtained from an authentication server, the secret key within the token of course will have to match the token configured in your Sametime server.
  • A complete list of settings that can be predefined within the Sametime client by using Domino policies is available here
Tagged with: Error Notes Sametime
Comments

1.) Sametime Missing single sign on token

Kumar http:// 16.03.2014 8:43:35

We have stand-alone STMUX server (which runs only STMUX service and no domino). We are able to get it working using AD Authentication. However, the Single Sign-On doesn't work when Authentication server name is blank. (I suspect this is because the Stand-alone mux server doesn't run domino. Shouldn't it redirect the connection to community server and get the authentication working?

It works when we specify the community server as Authentication server though. Is there anyway we can use SSO to work without specifying the Authentication server?

Any help is highly appreciated.

Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.