none
Can not delet password and username cached by Lync 2010 on public PC...NOT COOL MICROSOFT!!!!!!!!!

    Question

  • How do I permanetly delete ALL stored credentials for entire PC for Lync.

    The product is being used on a classroom PC with many different professors using it all logging in under a generic classroom log in.

    Microsoft with their usual lack of any kind of common sense set the password and username etc to be save BY DEFAULT. HOW ABSOLUTLY UNSECURE AND STUPID!!!!!!!!!!!!!!!!!!!!!!! And there seems to be no way short of wiping the PC to remove it.

    A reg hack to stop it from doing so in the future IS USELESS once it has done it!!!!!!!!!!!! WHAT AN ABSOLUTELY DUMB AND UNSECURE DEFAULT!!!!!!!!!!

    How do I get rid of the cached credentials with out wiping the PC??????????????

    Thanks to all who will help, and a POX on MS for letting this happen,

    Ralph Malph

    Thursday, November 10, 2011 9:47 PM

Answers

  • Hi

    Its actually a certificate that is stored in the cert store for the local user.

    You could turn this feature off or set it to 1 hour or something from a Lync policy.

    But to start with:

    1. Open Windows Certificate Manager. To do this, click Start, click Run, type certmgr.msc, and then click OK.
    2. Expand Personal, and then expand Certificates.
    3. Sort by the Issued By column, and then look for a certificate that is issued by Communications Server.
    4. Verify that the certificate is present and that it is not expired.
    5. Delete the certificate and try to sign in to Lync.

    To turn down the validity period see http://technet.microsoft.com/en-us/library/gg398396.aspx

    for details on all this you could look through these slides http://ecn.channel9.msdn.com/o9/te/Europe/2010/pptx/unc310.pptx


    Best Regards // Tommy Clarke - Please follow me @ Blog
    and Twitter
    • Proposed as answer by iTommyClarke Thursday, November 10, 2011 11:00 PM
    • Marked as answer by Ralph Malph 2 Monday, November 14, 2011 2:28 PM
    Thursday, November 10, 2011 11:00 PM

All replies

  • PS....I removed the software 4 times and wipe all findable traces of it form the registry and rebooted, there were 90, there should have been NONE after an uninstall. Typical lack of Microsoft quality and thouroghness.

    After a reinstall the credentials were still there. NOT ACCEPTABLE !!!!!!! HOW ABSOLUTLY UNSECURE!!!!!!!!!!!!!!

    Find me some one who can say that is a good thing to do security wise and I'll show an infected PC with the users credetials stolen and an empty bank account.

    Ralph
    Thursday, November 10, 2011 9:58 PM
  • Hi

    Its actually a certificate that is stored in the cert store for the local user.

    You could turn this feature off or set it to 1 hour or something from a Lync policy.

    But to start with:

    1. Open Windows Certificate Manager. To do this, click Start, click Run, type certmgr.msc, and then click OK.
    2. Expand Personal, and then expand Certificates.
    3. Sort by the Issued By column, and then look for a certificate that is issued by Communications Server.
    4. Verify that the certificate is present and that it is not expired.
    5. Delete the certificate and try to sign in to Lync.

    To turn down the validity period see http://technet.microsoft.com/en-us/library/gg398396.aspx

    for details on all this you could look through these slides http://ecn.channel9.msdn.com/o9/te/Europe/2010/pptx/unc310.pptx


    Best Regards // Tommy Clarke - Please follow me @ Blog
    and Twitter
    • Proposed as answer by iTommyClarke Thursday, November 10, 2011 11:00 PM
    • Marked as answer by Ralph Malph 2 Monday, November 14, 2011 2:28 PM
    Thursday, November 10, 2011 11:00 PM
  • Hi Ralph,

    With client certificate authentication, we place the certificate that contains user information in the user's personal certificate store.

    So you have to remove the user certificate and set the registry key HKCU\Software\Microsoft\Communicator\SavePassword to 0.

    Monday, November 14, 2011 10:21 AM
  • Thank you iTommyClarke for the reply. You had the correct answer.

    Ralph Malph

     

    Monday, November 14, 2011 2:31 PM
  • Thank you Noya, I had seen this fix before, and it seems to work. Unfortunately for me this was not the default for the Lync program.

    Microsoft needs to make sure that applications like these NEVER save passwords automatically. They should not even save the user name with out the user requesting it. It is great that there is an option to do so for those situations where it is appropriate, but NEVER by default.

    One of the advertised uses of this product is in education. In education, in many classrooms that are shared by multiple instructors, there will be a classroom PC for use by the instructor etc. In many cases the systems will be setup so that the user logs in with a generic user name and password. In these situations, I have a least 1000 systems setup this way where I work, It is imperative that the Lync product not remember the user name or the password of the current user. To have to do a reg hack to stop it from asking, and defaulting to remembering the password etc is ridicules to say the least, insecure to say a bit more and poorly thought out, without question. A better solution would be that on install one is asked if they would like this feature turned on and or if Lync should remember all past users in a drop down box for quicker log ins but not their passwords unless an extra option box is provided for that. This would, of course, make for a common sense approach to the problem. On top of that I wonder what would have happened after 60 days when have we have to change our password. Would the system in the classroom continue to log me in under the old password which would lock my account after 3 tries. As you can see Lync, as it is currently set up is not ready for the world of education. (That doesn't even address the 3 out of 4 failure rate I am having getting the Lync Attendee to work. It even fails on a Virgin PC. But that is another problem for another thread.)

    I would recommed that MS make these simple adjustments to the program and quickly release a Lync 2010.5 or just rename it to 2012. My expeience in programming tells me that it should take about a day to modify the source code to do that and due to the relatively simple programing involved, beta testing should be practically unneeded.

    Thanks again,

    Ralph Malph

    Monday, November 14, 2011 3:42 PM
  • You can use Group Policy to deploy the registry setting to your domain and disable it for your entire organization.

    Btw I also work in education, but our University policy is *no* generic logins ever, period, end of line.  Every staff, faculty, and student is issued their own unique username, and they are responsible for any shenanegans that occur with that username.  We eliminated generic logins many years ago, and have been much better off without them.

    Wednesday, November 16, 2011 5:48 PM