A customer queried something similar. If it is the same cause then it is due to managed-settings.xml not being configured to cater for older clients. What version of the client are you using?
The problem is that the managed-settings.xml is not configured correctly for SSO to work for all versions of the embedded Sametime client.
Once my VPN was working I could happily reproduce the problem. What is configured to happen is that I login to the Community server. Once logged in the Sametime client stores an LTPAToken obtained from the Community server. This LTPAToken can be used by other IBM software that uses the same LDAP and DNS domain.
The reason why it is not working for me is because loginByToken=true is missing from managed-settings.xml so that my version of the client will not attempt to use the LTPAToken obtained from the Community server. I added loginByToken=true to C:\Program Files\IBM\Lotus\Notes\Data\workspace\.metadata\.plugins\org.eclipse.core.runtime\.settings\com.ibm.rtc.meetings.shelf.prefs and on restart on the Notes client I was automatically logged into the Meeting client (after signing into the Community server).
IBM documentation says that loginByToken=true is not required in the Sametime client version 8.5.2. I am using Notes 8.5.3 which has Sametime 8.5.1 embedded hence why it fails. It might be possible that the same is true of your users who have reported this and the test I have detailed above is valid and can be used on these users.
If you add loginByToken=true to com.ibm.rtc.meetings.shelf.prefs and start the Notes client for those affected people then you know what works for me works for them.
If you can confirm that then the following approach can be taken to apply to all users regardless of client version though you will want to test this first of all before updating the managed-settings.xml used by the default Sametime policy.
- Back up \Lotus\Domino\Data\domino\html\update\managed-settings.xml
- Under "<settingGroup name="com.ibm.rtc.meetings.shelf" lastModDate="20130424T000001Z">" add "<setting name="loginByToken" value="true" isLocked="you decide" /> " deciding on whether you want to enforce this.
- Save the xml.
- Test the Notes client. You may need to delete your workspace (C:\Program Files\IBM\Lotus\Notes\Data\workspace) directory to pick up the changes.
- You may also want to change the lastModDate date so that the client knows that there's been a change but you should test this behaviour on your clients first.
In the Sametime 126.96.36.199 wiki (link) it says (about loginByToken) under "release" "8.5 through 188.8.131.52. Not used in 8.5.2." It also goes onto say "If the community server and meeting server are configured in the same single sign-on domain, this key, when set to true, forces the meeting client to log in with the LTPA token from the community server. If the meeting server is configured to re-use the community server credentials, the client automatically attempts to log in with a user name and LTPA token before falling back to a user name and password. Note that clients running releases earlier than 8.5.2 can also use an LTPA token but do not attempt to do so automatically and have no fallback mechanism. This value cannot be applied to specific meeting servers. Because it is a global setting for all servers, do not use this value if you have these older clients and some community servers and meeting servers that are not configured for single sign-on."