EFS recovery agent cert not published in AD

From: DaveF (davef_at_usfamily.net)
Date: 06/04/03 

Date: 3 Jun 2003 15:10:10 -0700

I'm trying to set up a pilot of EFS in the lab. I have an Enterprise
CA set up, and can request the required certificates with no problem.
EFS works fine, as does the default Recovery Agent (the Administrator
account for the domain).

Now I want to add another recovery agent and remove the default one.
I created a group called recoveryagents, and added a user (let's call
him fred) to this group. I then granted this group ENROLL rights to
the EFSRecovery certificate template. Finally, I logged on to a
workstation as fred, opened the certificates MMC, and requested a EFS
recovery certificate. The request worked, and I could install the
certificate in my (fred's) personal store. The problem is, it never
shows up as being published in AD. If I request a user cert, or a EFS
cert, it installs the the personal store and also is published in AD,
just like I expect.

Since it's not published in AD, I can't add fred as a recovery agent
with the Add Recovery Agent Wizard (at least, not by browsing for him
in the directory). If I select him, it tells me that he does not have
a suitable certificate.

I tried logging in to a workstation as a different user (one that
belongs to the domain admins group) and doing the same thing, but I
got the same result.

Everything I read indicates that the EFS recovery certificate should
be published to AD automagically in this configuration, but it is not.
 As I said before, other types of certs ARE published automagically,
so everything else seems to be in order.

Is it possible that I hosed up permissions on the EFSRecovery template
in some way that's causing this ? Is there any logging I can enable
to find out ? I see no errors of any kind in the event viewer.

Thanks.
Dave

Relevant Pages

  • RE: Recovery agent for EFS, how can i get it done PLEASE HELP
    ... enterprise admins still cant request cert everytime i request i get this ... The certificate cannot be installed because of one or more of the following ... >> Recovery and cannot be added as a recovery agent. ...
    (microsoft.public.windows.server.active_directory)
  • Re: decrypting a file question
    ... I seem to have all profiles. ... > profile of the user account that encrypted the file and the Recovery Agent ... The EFS or Recovery Agent ... > certificate needs to show that "you have the private key that corresponds ...
    (microsoft.public.win2000.security)
  • RE: Recovery agent for EFS, how can i get it done PLEASE HELP
    ... How are you requesting the Cert? ... > enterprise admins still cant request cert everytime i request i get this ... > The certificate cannot be installed because of one or more of the following ... >>> Recovery and cannot be added as a recovery agent. ...
    (microsoft.public.windows.server.active_directory)
  • Re: EFS - setting up Recovery Agent
    ... > 100 years must be for a self signed certificate?? ... >> One thing I do not understand is how the DRA EFS cert is ... >>> I have another question re the EFS Recovery Agent. ... >>> stations using smart cards)has an EFS policy using the default domain ...
    (microsoft.public.win2000.security)
  • Re: decrypting a file question
    ... EFS has a way of biting people when it comes to accessing their own files. ... The EFS "private" key that is used to decrypt files is stored in the user ... profile of the user account that encrypted the file and the Recovery Agent ... certificate needs to show that "you have the private key that corresponds ...
    (microsoft.public.win2000.security)