Thursday, November 10, 2011 9:47 PM
How do I permanetly delete ALL stored credentials for entire PC for Lync.
The product is being used on a classroom PC with many different professors using it all logging in under a generic classroom log in.
Microsoft with their usual lack of any kind of common sense set the password and username etc to be save BY DEFAULT. HOW ABSOLUTLY UNSECURE AND STUPID!!!!!!!!!!!!!!!!!!!!!!! And there seems to be no way short of wiping the PC to remove it.
A reg hack to stop it from doing so in the future IS USELESS once it has done it!!!!!!!!!!!! WHAT AN ABSOLUTELY DUMB AND UNSECURE DEFAULT!!!!!!!!!!
How do I get rid of the cached credentials with out wiping the PC??????????????
Thanks to all who will help, and a POX on MS for letting this happen,
Thursday, November 10, 2011 9:58 PM
PS....I removed the software 4 times and wipe all findable traces of it form the registry and rebooted, there were 90, there should have been NONE after an uninstall. Typical lack of Microsoft quality and thouroghness.
After a reinstall the credentials were still there. NOT ACCEPTABLE !!!!!!! HOW ABSOLUTLY UNSECURE!!!!!!!!!!!!!!
Find me some one who can say that is a good thing to do security wise and I'll show an infected PC with the users credetials stolen and an empty bank account.Ralph
Thursday, November 10, 2011 11:00 PM
Its actually a certificate that is stored in the cert store for the local user.
You could turn this feature off or set it to 1 hour or something from a Lync policy.
But to start with:
1. Open Windows Certificate Manager. To do this, click Start, click Run, type certmgr.msc, and then click OK.
2. Expand Personal, and then expand Certificates.
3. Sort by the Issued By column, and then look for a certificate that is issued by Communications Server.
4. Verify that the certificate is present and that it is not expired.
5. Delete the certificate and try to sign in to Lync.
To turn down the validity period see http://technet.microsoft.com/en-us/library/gg398396.aspx
for details on all this you could look through these slides http://ecn.channel9.msdn.com/o9/te/Europe/2010/pptx/unc310.pptx
Best Regards // Tommy Clarke - Please follow me @ Blog
Monday, November 14, 2011 10:21 AMModerator
With client certificate authentication, we place the certificate that contains user information in the user's personal certificate store.
So you have to remove the user certificate and set the registry key HKCU\Software\Microsoft\Communicator\SavePassword to 0.
Monday, November 14, 2011 2:31 PM
Thank you iTommyClarke for the reply. You had the correct answer.
Monday, November 14, 2011 3:42 PM
Thank you Noya, I had seen this fix before, and it seems to work. Unfortunately for me this was not the default for the Lync program.
Microsoft needs to make sure that applications like these NEVER save passwords automatically. They should not even save the user name with out the user requesting it. It is great that there is an option to do so for those situations where it is appropriate, but NEVER by default.
One of the advertised uses of this product is in education. In education, in many classrooms that are shared by multiple instructors, there will be a classroom PC for use by the instructor etc. In many cases the systems will be setup so that the user logs in with a generic user name and password. In these situations, I have a least 1000 systems setup this way where I work, It is imperative that the Lync product not remember the user name or the password of the current user. To have to do a reg hack to stop it from asking, and defaulting to remembering the password etc is ridicules to say the least, insecure to say a bit more and poorly thought out, without question. A better solution would be that on install one is asked if they would like this feature turned on and or if Lync should remember all past users in a drop down box for quicker log ins but not their passwords unless an extra option box is provided for that. This would, of course, make for a common sense approach to the problem. On top of that I wonder what would have happened after 60 days when have we have to change our password. Would the system in the classroom continue to log me in under the old password which would lock my account after 3 tries. As you can see Lync, as it is currently set up is not ready for the world of education. (That doesn't even address the 3 out of 4 failure rate I am having getting the Lync Attendee to work. It even fails on a Virgin PC. But that is another problem for another thread.)
I would recommed that MS make these simple adjustments to the program and quickly release a Lync 2010.5 or just rename it to 2012. My expeience in programming tells me that it should take about a day to modify the source code to do that and due to the relatively simple programing involved, beta testing should be practically unneeded.
Wednesday, November 16, 2011 5:48 PM
You can use Group Policy to deploy the registry setting to your domain and disable it for your entire organization.
Btw I also work in education, but our University policy is *no* generic logins ever, period, end of line. Every staff, faculty, and student is issued their own unique username, and they are responsible for any shenanegans that occur with that username. We eliminated generic logins many years ago, and have been much better off without them.