Needless to say that this step should be added to your employee leaving procedures to ensure that access is completely disabled. For near immediate results you should use the Lync Server Control Panel to “Temporarily disable for Lync Server”. The certificate can be revoked or deleted from the client to enforce re-authentication using domain credentials, however this will not affected signed in users immediately, and its interesting to note that if the domain credentials are still valid, they will still sign automatically downloading a new certificate in the process. The certificate is valid for 180 days and will be used for authentication from then on, and as a result the users AD account will not be checked during sign-in. If the user selects “Save my password” during sign-in, Lync server will generate a X.509 certificate and publish it to the RTC database, as well as the current users local certificate store on their PC. Kerberos is the default authentication method for authenticating clients on the domain, while NTLM is used when authenticating externally via the Lync Edge servers.
Lync Server has 3 options when it comes to authentication - Kerberos, NTLM, and certificate based. Wanting to understand the process better I tested Jeff’s findings on Lync Server 2013. Thinking this was crazy talk I set out to figure out how this was possible, and stumbled across Jeff Guillet’s article Disabling a User in AD Does Not Disable the User In Lync. A few months ago it was brought to our attention that disabled users were still able to sign-in to Lync.
0 kommentar(er)
