Re: File ENcryption Problem Detail

From: Drew Cooper [MS] (dcoop@online.microsoft.com)
Date: 08/29/02 

From: "Drew Cooper [MS]" <dcoop@online.microsoft.com>
Date: Thu, 29 Aug 2002 12:50:13 -0700

Yes. We have a clean install of Win2k SP3 on both a DC and a client joined
to its domain. We can encrypt remotely (client to server, of course).
If you have taskman running, showing the big CPU users, then repro, you
should see what's grinding away. This is not a very fine-grained approach,
I'm afraid. If we could repro in our lab, we could debug it. Not sure what
to do in this case unless we can see what's happening.

Are there any clues in the event viewer after you've rebooted the hung
machine? 

--
Drew Cooper [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Mandy" <mmmandy@hotmail.com> wrote in message
news:ewtYAM0TCHA.1668@tkmsftngp13...
> it is able to encrypt file locally on the DC, but not remotely encrypt
file
> on server by client PC users
>
> Sorry that I am unable to know which process as the machine hangs and
> un-responds.
>
> when u repro the situation, can u encrypt file on server remotely from
> client PC?
>
> "Drew Cooper [MS]" <dcoop@online.microsoft.com> 撰寫於郵件
> news:ecqNpWwTCHA.1496@tkmsftngp11...
> > We could not reproduce your issue in our lab.  I have no idea what's
> really
> > happening on your machine or how to get another machine into a similar
> > state.
> >
> > DCs are trusted for delegation.  This means that they are enabled to be
> > servers for remote EFS.  Not that it's good policy to use your DCs for
> file
> > servers, mind you.  ;-)
> >
> > If you're logged on to the DC locally, can you encrypt any files?
> > While the machine hangs, what process is the CPU hog?
> >
> > --
> > Drew Cooper [MS]
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Mandy" <mmmandy@hotmail.com> wrote in message
> > news:#QkxxkWTCHA.3620@tkmsftngp08...
> > > For my testing, I guess something has conflict between the local
> recovery
> > > policy and domain recovery policy.
> > >
> > > In addition, I guess domain controller does not support encryption by
> > other
> > > machine.
> > >
> > > "Robert Gu [MS]" <robertg@online.microsoft.com> 撰寫於郵件
> > > news:#u1xzJVTCHA.4136@tkmsftngp08...
> > > > Will forward this to our testers for a repro. I believe there are
more
> > > > details you need to give. We do have Win2K server running EFS here.
> Can
> > > you
> > > > think of anything that might help us to repro?
> > > >
> > > > --
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > >
> > > > Robert Gu [MS Security Developer]
> > > > "Mandy" <mmmandy@hotmail.com> wrote in message
> > > > news:uIdntnwSCHA.1648@tkmsftngp08...
> > > > > Here is the detail:
> > > > >
> > > > > A user wants to encrypt a file in a drive, the drive is mapped
from
> a
> > > > shared
> > > > > folder on the server.  When user tries to encrypt the file, the
> server
> > > is
> > > > > hang and the user's PC has shown "processing".
> > > > >
> > > > > There is nothing being modified in the recovery agent.  Therefore,
> > > > >
> > > > > Server- there is one local recovery agent in the local security
> policy
> > > and
> > > > > one domain recovery agent defined in the domain security policy.
> > > > > PC - there is one local recovery agent is defined locally and one
> > domain
> > > > > recovery agent is defined by the domain controller (this domain
> > recovery
> > > > > agent has the same certificate ID in the domain recovery agent in
> the
> > > > > server).
> > > > >
> > > > >
> > > > >
> > > > > "Mandy" <mmmandy@hotmail.com> 撰寫於郵件
> > > > > news:#xfCHjwSCHA.3720@tkmsftngp08...
> > > > > > Robert,
> > > > > >
> > > > > > nothing is encrypted on the server or client PC (I have
> implemented
> > > this
> > > > > > scenario in the testing environment, which has the clean
> > installation
> > > of
> > > > > > server and professional).
> > > > > >
> > > > > > I just wonder is it possible to do encrypted on server by client
> PC?
> > > > > >
> > > > > > Mandy
> > > > > >
> > > > > > "Robert Gu [MS]" <robertg@online.microsoft.com> 撰寫於郵件
> > > > > > news:eBiwo0sSCHA.2412@tkmsftngp13...
> > > > > > > Encryption should not cause hang. Local recovery agent should
> not
> > > > affect
> > > > > > the
> > > > > > > recovery policy. Is the %temp% on the server marked as
> encrypted?
> > > Can
> > > > > you
> > > > > > > provide more detailed repro steps?
> > > > > > >
> > > > > > > --
> > > > > > > This posting is provided "AS IS" with no warranties, and
confers
> > no
> > > > > > rights.
> > > > > > >
> > > > > > > Robert Gu [MS Security Developer]
> > > > > > > "Mandy" <mmmandy@hotmail.com> wrote in message
> > > > > > > news:#EAbVooSCHA.1880@tkmsftngp13...
> > > > > > > > Hi everyone,
> > > > > > > >
> > > > > > > > Would u please give me a help.  Here is the situation.
> > > > > > > >
> > > > > > > > Environment:
> > > > > > > > - Windows 2000 Server promoted to a Domain Controller
> (Server),
> > > and
> > > > > > domain
> > > > > > > > computer (PC).
> > > > > > > > - A shared folder is created on Server such that user can
map
> > the
> > > > > shared
> > > > > > > > folder as a Drive
> > > > > > > >
> > > > > > > > Problem: Domain User  using PC encrypts the shared file on
> > Server
> > > > such
> > > > > > > that
> > > > > > > > the server will be hang.
> > > > > > > >
> > > > > > > > Resolution has done:
> > > > > > > > - I have tried this scenario many many times in the testing
> > > > > environment,
> > > > > > > but
> > > > > > > > the same problem occurs.
> > > > > > > > - I have tried to use roaming profile.
> > > > > > > > - Domain User accounts are not marked as "sensitive and
cannot
> > be
> > > > > > > delegated"
> > > > > > > > this is following the instruction from MS White Paper.
> > > > > > > >
> > > > > > > > Question: I just wonder how to encrypt a file on a
> server/domain
> > > > > > > controller.
> > > > > > > > Or is it possible?
> > > > > > > >
> > > > > > > > After a few tries on the testing environment, it works fine
> when
> > I
> > > > > > deleted
> > > > > > > > the local recovery agent on the sever.  Will that be the
cause
> > of
> > > > the
> > > > > > > > problem?
> > > > > > > >
> > > > > > > > Man
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
    ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
    (Full-Disclosure)
  • RE: Remote connectivity problems
    ... do you mean you have added a remote client to SBS ... If you have hardware VPN tunnel setup using Linksys or others, ... In this scenario you have to configure the SBS Server computer to enable ...
    (microsoft.public.windows.server.sbs)
  • Re: Terminal Services Remote Control
    ... You don't need the Remote Desktop Client on the server, ... how do I get Remote Control ...
    (microsoft.public.win2000.termserv.apps)
  • Re: RWW Disconnecting
    ... I have been connected from a remote site for about 3 ... DHCP server and even a wireless access ... the key codes to for Internet access. ... Client Workstations} ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW Disconnecting
    ... Server to test the issue. ... I understand that remote client encounts following error message when RWW ... I strongly suggest that we rerun the Configure E-mail and Internet ...
    (microsoft.public.windows.server.sbs)