Re: EFS Certificate Issue

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 03/04/04 

Date: Thu, 4 Mar 2004 13:30:07 -0800

It's most useful for EFS certs when users have roaming profiles. Or for
sharing EFS files over WebDAV. Or for encrypting a file, adding another
user, using ntbackup to make a .bkf, then giving the .bkf to the other user.
In short - not often useful for EFS.
Publishing to the AD is something that makes more sense for, say, an S/MIME
cert.

- After you added the user, was the user's "thumbnail" (cute name for
"hash") on the file what you expected it to be?
- If you logged on to the remote server locally as that user and checked the
user's Personal cert store, was the matching cert there?
    - If so, could you export the cert and its private key? (That's the
only way to tell if the private key is really there - don't trust the cert
UI - it really tells you "at some time earlier, I thought there was a
private key here").
      - If so, when logged on as that user, could you open the file?

Another approach:
- What do you mean by "the AD key was generated on"? This might be the
source of the confusion. Are you expecting the key to be on the CA or on
the machine where the user requested a cert? (It will be on the latter.)

I hope one of those lines of questioning gets to the root of this. Please
let me know what you find. 

-- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Eric Skibicki" <plus@nerdinc.com> wrote in message
news:eYgb%235fAEHA.3804@TK2MSFTNGP09.phx.gbl...
> So my question has to be, what is the point of having the keys published
to
> active directory then?
>
> Interesting scenario I tried last night... I encrypted a file on a remote
> computer using the AD public key, I then tried opening the file on the
> machine I know the AD key was generated on.. The user still couldnt read
the
> file...
>
> Eric
>
> "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> wrote in message
> news:OsoPDBZAEHA.132@TK2MSFTNGP10.phx.gbl...
> > Keys are stored in a user's profile.  If the profile doesn't roam,
neither
> > will the keys.  And if there's no key available, EFS will request (or
> > generate) another keypair when encrypting a file.
> > -- 
> > Drew Cooper [MSFT]
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Eric Skibicki" <plus@nerdinc.com> wrote in message
> > news:uTlo%23fWAEHA.3712@tk2msftngp13.phx.gbl...
> > > Hello All,
> > >
> > >   I have a couple win2k3 servers up, both are domain controllers in a
> the
> > > same forest (sc), and one of them (debbie) is running a certificate
> > > authority (enterprise root).   When I encrypt a file on a workstation,
> the
> > > CA generates an EFS key, and uses that key on the local workstation.
> > >
> > > The problem comes in when I try to encrypt a file on the other domain
> > > controller via a mapped drive from the workstation.  The user all of a
> > > sudden generates a new key with himself as the issuer, and encrypts
the
> > file
> > > that way.
> > >
> > > Wanting to test something, I wrote a program that uses
> > > AddUsersToEncryptedFile and EncryptFile to encrypt a file and add my
> test
> > > user's AD/CA EFS key to that file.  This was all done on the domain
> > > controller that is hosting the share.  When my test user attempts to
> open
> > > that file (mind you it does have his CA EFS key attached (i can view
the
> > > properties, it is correct)) it gives an access denied....
> > >
> > > Any ideas what is causing this behaviour?
> > >
> > > Eric
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Encryted Data recovered from failed hard drive
    ... Your keys and certs are in the profile dir. ... Once you have your backed up cert+keys, you can open all your EFS ... files encrypted with the cert as long as the files are not damaged. ... Start->Help should have the info to guide you through how to backup your EFS ...
    (microsoft.public.win2000.security)
  • Re: efs and "encryption" overall... help?
    ... Private key is encrypted in user's profile. ... to private keys that will decrypt the files. ... Even if you backup the files on NTFS (EFS only works on NTFS) and restore ... Encrypting File System in Windows XP and Windows Server 2003 ...
    (microsoft.public.windows.server.networking)
  • Re: Encryption Across Network File Shares
    ... the user should be able to decrypt and work on the EFS files. ... for Delegation" and the user that is encrypting/decrypting will have to be ... certificate/private key into your domain account, by encrypting a file ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Encryption Across Network File Shares
    ... The computer with the share that you want to contain EFS files and the ... certificate/private key into your domain account, by encrypting a file while ... "Rick Blake" wrote in message ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS Certificate Needed
    ... Backup and save on non-degrading media the EFS DRA .pfx file ... Foe sure I will follow "Windows Recommendations". ... that recovery agent will only have ... Best practices for the Encrypting File System ...
    (microsoft.public.security)