Archive for April, 2012

Prevent Lync from Auto Saving of Credentials, (e.g. multi-user pc)

April 12, 2012 Leave a comment

I have a customer who has computers that are used with a common AD logon by multiple people. For example, a central area that a pc has a logon but that several different people might run a Lync client under the same logon profile.

The issue and scenario that might be considered problematic is: 
  • James Bond signs in to Lync on this PC and his credentials are saved, (i.e. next logon James Bond does not have to enter his credentials)
  • Money Penny signs in to Lync on this PC and his credentials are saved, (i.e. next logon Money Penny does not have to enter his credentials)
  • The problem now is that anyone can walk up to this pc and login as James Bond or Money Penny

So how can this situation be avoided and what can we learn about how the Lync client stores credentials?

The Lync client will actually receive a Lync server created certificate that is downloaded to the User local cert store. It is this certificate that contains the user’s logon credentials that are saved. There are also two local registry settings that control the prompting of a users’ credentials that need to be set if you do not want a user to be prompted for credentials.

If you have a pc that has already had people who have logged on and saved their credentials, all you need to do is configure the two registry entries on that particular machine.

However, before you do that you must first remove the Lync Server created certificates:
• Open the local certificate store on the pc – start / run / mmc / Add / Certificates (make sure to select “My User Account” and that you are logged on as the user who will need to be prompted for Lync credentials no matter who is signing in to Lync)
• Expand Certificates / Personal / Certificates
• Delete the certificates in this folder

Make this regedit change:
Turning off Save Password, (make sure the value is set to “0”):

Make this regedit change:
Note: Make sure the value is set to “0”:

Reboot the PC and you should now not be prompted for credentials

Categories: Uncategorized