Re: EFS error: event id: 6203 on Windows Server 2003

From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 10/29/04 

Date: Fri, 29 Oct 2004 07:06:18 -0500

In article <A_igd.324219$MQ5.31064@attbi_s52>, n9rou@n0-spam-for-me-
comcast.net says...
> I believe it is a warning message just to inform you that if you decrypt a
> file over the network that the data will not be encrypted on the wire. The
> access denied probably means that you do not have an EFS certificate/private
> key on the computer where the encrypted file exists. Also to encrypt files
> on a network server, the computer must be trusted for delegation in it's
> computer account properties in Active Directory Users and Computers. The
> link below explains more. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;320044

Further to Steve's answer.

Is the computer a member of the same forest as the server where you are
attempting to encrypt/decrypt the file? My guess is no, which is why you
are using NTLM authentication rather than Kerberos. Only Kerberos
allows Kerberos impersonation, which is enabled when you configure that
the server computer is trusted for delegation. The server impersonates
the user, generates a profile, and either generates or uses the EFS key
pair in that profile for encryption.

If it is a member of the same forest, is there anything preventing
Kerberos authentication. Common issues include the incorrect SPN or the
inability to resolve the server's FQDN in DNS.

Brian

>
> "mika2004" <mika2004@discussions.microsoft.com> wrote in message
> news:D7B41740-37E9-4349-86F2-B19FB825849B@microsoft.com...
> > Has anyone ever seen this eventid from the source EFS.
> > I get it every time, i klick on an encrypted file.
> > After that the encrypted files cannot be accessed.
> > Error: Access denied.
> > Client OS is Windows XP SP1.
> > The whole event message is:
> > EFS does not support encryption over network sessions established using
> > the
> > NTLM protocol.
> > Any comments?
> >
> >
>
>
>

Relevant Pages

  • Re: LDAP or Kerberos or am I all mixed up.
    ... > I am interested in establishing a single user login at my office that ... > has about 60 machines total running on the network. ... in to each application or server individually. ... see if they support LDAP or kerberos login. ...
    (RedHat)
  • Kerberos-LDAP infrastructure
    ... We'd like to deploy Kerberos it on our network. ... working Kerberos setup in our Lab which has a Master Kerberos server ... architecture has to support two different data centers. ...
    (comp.protocols.kerberos)
  • Kerberos Error
    ... We are getting regular Kerberos errors that don't seem to make any sense, ... and a WinXP Pro client with the default install. ... They can go to a saved network place or mapped ... The kerberos client received a KRB_AP_ERR_MODIFIED error from the server ...
    (microsoft.public.windowsxp.security_admin)
  • RE: WinXP Encryption Added users "Access denied"
    ... onto the same computer--in other words, both users have profiles and EFS ... If you want to share files that have been encrypted on a remote server, ... publish that certificate to the AD. ... > encrypted file from PC1 or PC2, it takes a while, and sometimes clicking on ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Store Encrypted Files
    ... Chuck schreef: ... files on a server. ... let the client download his encrypted file and decrypt it. ...
    (comp.security.ssh)