none
Lync 2010 External Login issue. Anyone can log in with anyone's username.

    Question

  • Deployed Lync 2010. We have a FE, and Edge and TMG. When testing we discovered that inside the firewall all works well. Outside the firewall we can enter anyone's login name and it just logs us in. When logged in as that user it prompts for credentials but that is only to access the address book. If we click cancel we are logged into the other users account and all works except address book. inside the firewall if we change the login credentials it prompts for username and password and since I do not know the password I cannot get in.

    This seems to be a major security hole. What could be wrong with the edge? I have changed every setting to no avail. The only thing that stops this behavior is to uncheck "remote access" in the policy. Unfortunately with that setting no one can login to Lync without connecting via VPN.

    Any ideas? Its hard to troubleshoot something that doesn't throw any errors.


    Saturday, December 10, 2011 1:14 AM

All replies

  • Hi,Daniel,

    Let's clarify your question:

    You have enabled external user access,and when a user,let's say UserA connected from outside,s/he not only can log in her/his own user account but also can log in Lync with any other enabled user accounts,Let's say UserB as an example, as long as s/he enter the UserB's SIP address s/he can log in Lync with UserB's account ,right?

    Would you please verify that if UserB has signed in this computer before and selected "save my password" in the first sign in?Anyway please try to do the following steps to clear the "Save my password" in Lync client and get the checkbox back in case you are hitting this sceanrio.

    1)Run Regedit.exe and locate to the registry key HKEY_CURRENT_USER\Software\Microsoft\Communicator,in the right panel find the  DWORD value SavedPassword and set the value to 1.

    2)Run MMC,go to the menu "File" then "add/remove snap-in" add "Certificate" ,under personal store of the user certificate,delete the user certificate that matches the user's SIP address.

    Regards,

    Sharon


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 12, 2011 9:11 AM
    Moderator
  • Thank you for the response:

    You have enabled external user access,and when a user,let's say UserA connected from outside,s/he not only can log in her/his own user account but also can log in Lync with any other enabled user accounts,Let's say UserB as an example, as long as s/he enter the UserB's SIP address s/he can log in Lync with UserB's account ,right? Yes.

    It is not cached passwords or the certificate. If I turn on my edge server and you open the Lync client on your laptop and enter my sip address you will be able to connect and see my contact list and communicate as me. 

    I will test your suggestions to rule out those variables.

     

     

    Monday, December 12, 2011 2:55 PM
  • Checked all that you specified. None of that fixed the issue. Its a very odd problem. I have no idea how we managed to open that hole. Fully patched OS and fully patched Lync. BPA does not show an issue.
    Monday, December 12, 2011 10:48 PM
  • Hi,Daniel,

    It's a weird issue,I haven't seen this sceanrio,seems there is something wrong with your Edge server.Did you try to remove Edge from your topology then re-deploy it again?

    Meanwhile I will escalate this issue to the escalate support engineer team,if you can provide more details about your sceanrio (such as Lync topology,network map) it will more help.

    However if this issue is urgent it's better to open a ticket with Microsoft and the premier support engineer will work together with you to troubleshoot this issue online.

    Regards,

    Sharon

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, December 13, 2011 1:45 AM
    Moderator
  • Hi Daniel, The behavior you described is definitely not expected and as Sharon has suggested if this is a big concern for you please open a support request so that we can address it as soon as possible. Meanwhile, please try creating a new user in your AD and enable it in Lync (Allow remote access)now use that user account to login externally (without ever loggin in on the internal network), are you able to reproduce the behavior using the new account? Also, 1. Have you tried reproducing this behavior on a different external client ? 2. Have you tried reproducing this behavior when logged in as a non-admin user ? 2. Have you tried reproducing this behavior using a machine not joined to the domain ?
    Tuesday, December 13, 2011 5:45 AM
  • Hi Daniel,

    I've seen that issue back in OCS 2007 and R2 when the Edge Server is defined as a Trusted Server in the Pool/Front End Server and configured as Authenticated.

    Can you run Get-CsTrustedApplicationPool and check if the Edge server is there. If it is configured as a trusted application pool and configured as TreatAsAuthenticated then this might be the issue.

    Turgay

     

    Tuesday, December 13, 2011 8:23 PM
  • Hi Turgay,

    I'm working with Daniel on our external Lync authentication issues. I ran the Get-CsTrustedApplicationPool and sure enough both of our OCS 2007 servers are listed there and are both TreatAsAuthenticated. Currently all of our users are migrated to Lync 2010 and our OCS servers are turned off. What steps do we need to take to remove this from our Lync environment?

    Thanks,

    Bobby.

    Thursday, December 15, 2011 8:41 PM
  • Hi Bobby,

    Those OCS 2007 servers you mentioned, are they the OCS 2007 Edge servers?

    If you have deployed Lync Edge servers and you don't see them as TreatAsAuthenticated then there should be some other issue with your environment.

     

    Just make sure that the active edge servers are not listed as authenticated there.

    This would do the trick: Set-CsTrustedApplicationPool -Identity edgeserver.contoso.com -TreatAsAuthenticated $false

    Turgay

     

    Thursday, December 15, 2011 9:50 PM
  • Turgay,

    These servers are OCS 2007 front end servers. We have deployed a Lync edge server and it is not listed as a trusted server or TreatAsAuthenticated. The OCS servers are both powered off yet we can login to Lync from outside our network as any Lync user without being prompted for authentication. Do you have any ideas what could be causing this security hole? Currently i have disabled remote user access until i can resolve the authentication issue.

    -Bobby

    Monday, December 19, 2011 8:47 PM
  • It's weird, I'll give you that!

    We're having the same issue.

    One OCS server, One Lync Front end, One Lync Edge.

    Each user in the Lync pool that is enabled for external access can log in with out entering a password.

    This is a major security issue here... We turned the edge server off to avoid this.

    Anyone had luck resolving this issue?

    Wednesday, December 21, 2011 5:30 PM
  • I hit this a couple years ago.  Check out this blog post:   http://mikestacy.typepad.com/mike-stacys-blog/2009/02/communicator-does-not-prompt-for-logon-credentials.html
    Mike Stacy | http://mikestacy.typepad.com
    Saturday, December 24, 2011 3:45 PM
    Moderator
  • Hi,

    I am also facing the same issue (From external, any user can login without providing passwords - but when trying from internal network, it's prompting for the password)? Have you found any solution for this?

    Note: I never had any OCS Servers, first time installing in my Domain and my Edge Server is not in the trustedapplocation pool as well

    Thanks in advance

    Regards,
    Vinu Kumar T K


    Thanks & Regards, Vinu Kumar T K

    Thursday, February 23, 2012 3:10 PM
  • Have you by any chance installed a multi-SAN san certifiacte on the internal edge interface containing the front-end server's name?

    This can cause users to sign in without providing credentials.

    If so - install a new certificate on the internal Edge interface containing only the edge server's DQDN.


    • Edited by y0av Thursday, February 23, 2012 4:57 PM
    • Proposed as answer by Vijeesh Kumar T K Friday, February 24, 2012 9:31 AM
    Thursday, February 23, 2012 4:51 PM
  • It's worked for me, Thanks y0av..


    Regards, Vijeesh

    Friday, February 24, 2012 9:31 AM
  • hi check authendification delegation in tmg publishing rule, it must be "No delegetion, but client may authenticate directly"
    if you have not it, your external client will prompts password. do as i write and it will be passed
    Monday, March 05, 2012 1:41 PM
  • I find this thread interesting I went to update to CU4 and found an article on the Internet claiming that it broke edge server authentication.  Now, I'm beginning to believe it's not CU4 and more likely a config issue.

    Read up on it here.

    http://social.technet.microsoft.com/Forums/en-US/ocsedge/thread/4abce8ea-1197-4eb4-96e8-b7bea1a02f05

    Friday, March 09, 2012 12:30 AM
  • Hi Daniel,
    I'm sure (or at least I hope) you fixed this already, but if someone else run into this issue: I have seen customers using the same certificate on the Edge internal Interface and on the next hop pool (of course with all the required SANs). If you do that, all traffic coming from the Edge will already be trusted and there will be no prompt for external users to sign in. You should always use a dedicated certificate on the internal Edge Interface with only the internal Edge (pool) FQND as SN and no SAN.

    hth,

    thomas

    Tuesday, October 09, 2012 12:36 PM