Using two-factor authentication with Lync client and Lync Server 2013
Topic Last Modified: 2013-07-11
This topic described how to take advantage of two-factor authentication with Lync 2013 client.
Sign in to Lync 2013 for the first time
Your Lync sign-in information is usually configured automatically when Lync 2013 is installed. But the first time you use Lync, you might have to manually start the client.
To sign in to Lync for the first time
Log on to your organization’s network.
Select Start > All Programs > Microsoft Lync > Lync 2013.
You should see the Lync sign-in screen.
If the sign-in address box is already filled in, confirm that the address shown is correct.
If it’s not correct, or if the box is empty, enter your Lync sign-in address (this is usually the same as your email address).
If an empty password box is displayed, add your password.
Select Sign-in.
Sign out of Lync
When you’re finished using Lync, you can close the display, sign out of your session, or exit from the program, all from the File menu. The following table explains the differences in the options.
Option | What it does | How to perform it |
---|---|---|
Close |
Closes your Lync display but lets the Lync session identified with your user ID continue to run. This is so you can continue to get notifications and interact with others. You can get the display back at any time by clicking the Lync icon on the taskbar or the notification area at the bottom of your screen. |
On the Lync main window, do one of the following:
|
Sign out |
Ends the Lync session associated with your user ID, but Lync continues to run in the background. When you sign out, the sign-in window will appear. Tip Select Delete my sign-in information when you sign out to remove the record of your logon ID and password from the computer. Doing this might make it easier for support people to troubleshoot sign-in issues. It can also help ensure your sign-in information is more secure by making it difficult for unauthorized users to log on with your credentials. |
On the Lync main window, select the Options button, then select File > Sign Out. |
Exit |
Ends your Lync session and shuts down Lync on your computer. After exiting, if you want to restart Lync, select Start > All Programs > Microsoft Lync > Lync 2013. |
On the Lync main window, select the Options button, then select File > Exit. |
Sign in to Lync with a Smart Card
Some organizations now use a multi-step sign-in process, called two-factor authentication, to increase security for their Lync 2013 users. If you’re expected to use this option, you’ll need a “smart card” to sign in to Lync. Smart cards come in two varieties, physical and virtual:
Physical About the size of a credit card. You insert it into a smart card reader when you log in.
Virtual Not a physical object, but an electronic identifier that gets written to a special chip on your computer, which in essence builds the smart card into your computer. Available only for use with Windows 8 computers that contain the TPM (Trusted Platform Module) chip.
Enroll your smart card
Before you can sign in with a smart card, the card must be “enrolled”—that is, your user credentials have to be identified with the card. This is the case whether the card is physical or virtual. This process may already been carried out by your Lync Server administrator. Check with them if you’re not sure whether that has been done.
Note
Since each virtual smart card is associated only with the device it’s installed on, a separate card will need to be enrolled for each Windows 8 computer you use.
To manually enroll your smart card
Log on to the computer you’ll be running Lync on.
Using Internet Explorer, browse to your organization’s Certificate Authority Web Enrollment page.
Ask your Lync Server administrator for the web address of this resource if you don’t already have it. The URL will look something like this: https://MyCA.[yourcompanyname].com/certsrv.
Note
If you’re using Internet Explorer 10, you may need to view this website in Compatibility Mode.
When you’re prompted to log on to the certification page, log on using your domain account (rather than as administrator of your computer).
On the website Welcome Page, select Request a certificate.
Select Advanced Request.
Select Create and submit a request to this CA, then click Next.
Now you’ll see a page called Smart Card Enrollment Station. Approve the request to install the ActiveX control, and then complete the Advanced Certificate Request form as follows:
Select Smartcard user from the Certificate Template dropdown list.
Select Create new key set.
Find the manufacturer information on the label of your smart card and select that manufacturer from the CSP dropdown list.
Select CSP as the Request Format, if it’s not already selected.
Select sha1 from the Hash Algorithm dropdown list, if it’s not already selected.
Give your certificate a name you’ll recognize, and click Submit.
Now insert your blank smart card into the card reader attached to the enrollment station and click Enroll.
When prompted, enter your personal identification number (PIN), and then click OK.
Note
If your technical support person has not given you a special PIN to use to enroll your smart card, use the default smart card PIN value, which is 12345678.
Select the option to force the user (you) to change the PIN the first time the smart card is used.
Now insert your blank smart card into the card reader attached to the enrollment station and click Enroll.
When prompted, enter your personal identification number (PIN), and then click OK.
Note
If your technical support person has not given you a special PIN to use to enroll your smart card, use the default smart card PIN value, which is 12345678.
Select the option to force the user (you) to change the PIN the first time the smart card is used.
Click OK to confirm that the certificate displayed has your information on it.
Once you see the notice that the certificate has been issued, click Install this certificate to complete the enrollment process.
Sign in to Lync with your smart card credentials
Before you use your smart card for the first time, it’s recommended that you click Delete my sign-in info on the Lync sign-in page. Doing this clears any sign-in credentials stored on your computer, and eliminates a possible source of error.
To sign in to Lync with your smart card credentials
Start the Lync client.
On the Sign in screen, type your sign in user account name in the Sign-in address box, and then click Sign In.
If you are using a virtual smart card, skip this step.
If you are using a physical smart card, insert the smart card into your smart card reader and prompted to do so, and then click OK when the card is detected.
Type in the PIN number you for your smart card and then click OK.
Note
If you were not assigned a smart card PIN number by your support person, use the default value, which is 12345678.