Re: EFS/DRA
- From: "Brian Komar \(MVP\)" <brian.komar@xxxxxxxxxxxxxxxxx>
- Date: Mon, 7 Jul 2008 14:28:44 -0500
Nope, you only have to do it once.
I just wanted to make sure you had backed it up.
Brian
"Steve" <Steve@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:AC9BBFC3-1789-4335-BF9C-D731618EC594@xxxxxxxxxxxxxxxx
Thanks for the response.
I exported the private key, assigned it a password and saved it. Now it says
there is a private key that corresponds to the certificate. You say that if
it does, export it. Didn't I just do that? Or should I do it again?
Thanks alot for your help.
-- Steve
"Brian Komar (MVP)" wrote:
some initial answers inline...
"Steve" <Steve@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AA251001-9431-43DF-95F9-8E681FBB99FB@xxxxxxxxxxxxxxxx
> All,
>
> I could really use some help with this EFS/DRA stuff. One thing at a > time
> I
> suppose.
>
> I have successfully published a DRA via Group Policy (Win2k3/AD). I
> created
> an encrypted file on an XP2 machine. When I click details of the > encrypted
> file, I can see the DRA. Associated with the user is a Cert Thumbprint.
This is good news <G>
>
> I am logged onto a DC with the DRA user and when I open the > Certificates
> snap-in for mmc, the under Personal --> Certificates, the cert is there
> (with
> the same Thumbprint). Likewise the same cert is listed under Active
> Directory
> User Object --> Certificates.
Does it state that you have the private key associated with the certificate?
If yes, then export it now!! Do not pass go, do not wait for anything.
This is the only copy of the certificate and private key\
> However when I try to access the files on the
> XP machine from the DC (file share) it says access is denied. I am > trying
> to
> test the data recovery agent before implementing EFS on my network. Did > I
> miss a step?
To use the key as the DRA, you must log on *locally* at the computer. You
are connecting over the network. You are connecting over the network. You
are creating a profile on the remote machine, generating a new EFS
certificate, and attempting to open it with that certificate. The
encryption/decryption is all remote.
It is not a transfer of the encrypted file to your machine. It is a remote
decryption and transfer of the file in the clear.
>
> Possibly related or unrelated, I am also havinga problem with DC > issued
> certs vs. self-signed certs. I was testing with QA and found that I > needed
> to
> add his self-signed cert to the encrypted file so that he could view > it.
> He
> has been autoenrolled for a efs cert (duplicate of Basic EFS) but it
> doesn't
> appear to be working. What did I miss here? Also, I have noticed that > many
> users have been autoenrolled for the efs cert multiple times (viewing > the
> Certification Authority --> Issued Certificates).
There is a KB article (sorry no time to search for it now) that prevents the
creation of self-signed certificates. In addition, you want to enable
Credential Roamining Services or Roaming profiles to prevent the re-issuance
of EFS certificates.
>
> Any and all help would be greatly appreciated.
> -- Steve
.
- Follow-Ups:
- Re: EFS/DRA
- From: Steve
- Re: EFS/DRA
- References:
- Re: EFS/DRA
- From: Brian Komar \(MVP\)
- Re: EFS/DRA
- From: Steve
- Re: EFS/DRA
- Prev by Date: Re: Why am I deleting these files
- Next by Date: Re: Control time limit of cached credentials
- Previous by thread: Re: EFS/DRA
- Next by thread: Re: EFS/DRA
- Index(es):
Relevant Pages
|
