Re: EFS Recovery Agent
From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 02/20/04
- Next message: Dan Lnenicka: "SFM Network Trash folder security"
- Previous message: DOUG: "PRODUCT KEY LOST"
- In reply to: Steven L Umbach: "Re: EFS Recovery Agent"
- Next in thread: Roger Abell [MVP]: "Re: EFS Recovery Agent"
- Reply: Roger Abell [MVP]: "Re: EFS Recovery Agent"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 20 Feb 2004 14:38:49 -0800
The name issue was a bug. It's a failed account lookup. There's a place in
each entry in the EFS metadata for an account SID. It makes sense for
users, but not RAs - there's really no way to know the RAs SID. So the
metadata doesn't hold anything useful in that field for an RA.
The old version of efsinfo treated RA data the same as user data and tried
to lookup an account name based on the (non-specified) SID. Whenever the
lookup failed, it would output "unknown user".
There's a newer version of efsinfo that doesn't try name lookup for RAs -
just skips that info. I don't know whether we checked a fix for this into
Win2k sources. I doubt it, though. It's a minor problem that doesn't block
anyone - not the kind of thing fixed with a service pack.
-- Drew Cooper [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. "Steven L Umbach" <sumbach@nospam-ameritech.net> wrote in message news:oLqZb.11912$PY.8703@newssvr26.news.prodigy.com... > I don't know about the name issue offhand, but believe as long as the right > EFS RA private key has been imported to the computer where files need to be > recovered by the RA it should work. You can also use efsinfo to view > thumbprints to help match up the certificates that are RA. You need to have > a RA export their recovery certificate and private key to a .pfx file as > described in the KB article below to be able to import it to another > computer. Their certificate also needs to be a recovery certificate as > described on the certificate properties in the user certificate store > accessable through the mmc certificate snapin for users. --- Steve > > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B242296 > http://www.microsoft.com/windows2000/techinfo/planning/security/efssteps.asp > > "Steven Bellamy" <nospam@nospam.com> wrote in message > news:el#eTt89DHA.4080@tk2msftngp13.phx.gbl... > > Hi, > > > > I am having a problem trying to decrypt information using a Recovery > Agent. > > > > We're running a W2K Adv Server SP3 in mixed mode. > > > > I have setup EFS using a GPO for the domain. I have specified 3 user > > accounts to be Recovery Agents for the domain, all of which are part of > the > > admin group. > > I used the Wizard to add or create the RA's, I did not import any > > certificates. > > > > When I use efsinfo /u /r on an encrypted file, I get the following info. > > > > test.txt: Encrypted > > Users who can decrypt: > > ABCDOMAIN\user (user(user@abcdomain.com)) > > Recovery Agents: > > Unknown (RA1(ra1@abcdomain.com)) > > Unknown (RA2(ra2@abcdomain.com)) > > Unknown (RA3(ra3@abcdomain.com)) > > > > Does anyone know why the RA's have a domain of Unknown? > > Is this possibly why I can't decrypt a file on a PC that has a recovery > > agent certificate installed? > > > > Thanks for your help! > > > > > >
- Next message: Dan Lnenicka: "SFM Network Trash folder security"
- Previous message: DOUG: "PRODUCT KEY LOST"
- In reply to: Steven L Umbach: "Re: EFS Recovery Agent"
- Next in thread: Roger Abell [MVP]: "Re: EFS Recovery Agent"
- Reply: Roger Abell [MVP]: "Re: EFS Recovery Agent"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
