Re: EFS/DRA
- From: Steve <Steve@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 7 Jul 2008 12:11:01 -0700
Thanks for the response.
I exported the private key, assigned it a password and saved it. Now it says
there is a private key that corresponds to the certificate. You say that if
it does, export it. Didn't I just do that? Or should I do it again?
Thanks alot for your help.
-- Steve
"Brian Komar (MVP)" wrote:
some initial answers inline....
"Steve" <Steve@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AA251001-9431-43DF-95F9-8E681FBB99FB@xxxxxxxxxxxxxxxx
All,This is good news <G>
I could really use some help with this EFS/DRA stuff. One thing at a time
I
suppose.
I have successfully published a DRA via Group Policy (Win2k3/AD). I
created
an encrypted file on an XP2 machine. When I click details of the encrypted
file, I can see the DRA. Associated with the user is a Cert Thumbprint.
I am logged onto a DC with the DRA user and when I open the Certificates
snap-in for mmc, the under Personal --> Certificates, the cert is there
(with
the same Thumbprint). Likewise the same cert is listed under Active
Directory
User Object --> Certificates.
Does it state that you have the private key associated with the certificate?
If yes, then export it now!! Do not pass go, do not wait for anything.
This is the only copy of the certificate and private key\
However when I try to access the files on the
XP machine from the DC (file share) it says access is denied. I am trying
to
test the data recovery agent before implementing EFS on my network. Did I
miss a step?
To use the key as the DRA, you must log on *locally* at the computer. You
are connecting over the network. You are connecting over the network. You
are creating a profile on the remote machine, generating a new EFS
certificate, and attempting to open it with that certificate. The
encryption/decryption is all remote.
It is not a transfer of the encrypted file to your machine. It is a remote
decryption and transfer of the file in the clear.
Possibly related or unrelated, I am also havinga problem with DC issued
certs vs. self-signed certs. I was testing with QA and found that I needed
to
add his self-signed cert to the encrypted file so that he could view it.
He
has been autoenrolled for a efs cert (duplicate of Basic EFS) but it
doesn't
appear to be working. What did I miss here? Also, I have noticed that many
users have been autoenrolled for the efs cert multiple times (viewing the
Certification Authority --> Issued Certificates).
There is a KB article (sorry no time to search for it now) that prevents the
creation of self-signed certificates. In addition, you want to enable
Credential Roamining Services or Roaming profiles to prevent the re-issuance
of EFS certificates.
Any and all help would be greatly appreciated.
-- Steve
- Follow-Ups:
- Re: EFS/DRA
- From: Brian Komar \(MVP\)
- Re: EFS/DRA
- References:
- Re: EFS/DRA
- From: Brian Komar \(MVP\)
- Re: EFS/DRA
- Prev by Date: Re: EFS/DRA
- Next by Date: Re: Unplugged Cable/Media Disconnected
- Previous by thread: Re: EFS/DRA
- Next by thread: Re: EFS/DRA
- Index(es):
Relevant Pages
|
