Re: Cannot Decrypt Files

From: Robert (Robert_at_discussions.microsoft.com)
Date: 05/03/05

• Next message: Will: "EventID 534: User has not been granted requested logon type"
• Previous message: SMO: "How to Delegate DHCP"
• In reply to: Steven L Umbach: "Re: Cannot Decrypt Files"
• Next in thread: Steven L Umbach: "Re: Cannot Decrypt Files"
• Reply: Steven L Umbach: "Re: Cannot Decrypt Files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 2 May 2005 17:12:02 -0700

Hi Steven,

Thank you very much for your response.
The general page does indeed show that I "have a private key that
corresponds to this certificate". It does however say that "This CA Root
certificate is not trusted." And also as a step in this ordeal I had in fact
exported what I believed to be the certificate of my user to a .pfx file and
have since imported it back into my personal certificate folder with no
success in decrypting the files. Perhaps I did not import it correctly
although I did receive the successful message...
I have also logged in as the local administrator that Efsinfo indicated has
a matching thumbprint to the RA and have not been able to decrypt.
My laptop has been part of a domain in the past but is now a standalone in a
workgroup. Could that possibly matter?

Many thanks,
Robert

"Steven L Umbach" wrote:

> When you view your certificate in the mmc snapin for certificates for "user"
> and look at the general page it needs to show "you have a private key that
> corresponds to this certificate". If not you will not be able to access the
> EFS files with that certificate. Possibly at one time you exported the
> certificate and private key to a password protected .pfx file AND in the
> process checked the option to delete the private key?? If that is so, import
> the .pfx certificate/private key back into that computer to access the EFS
> files. Windows 2000 also requires a Recovery Agent for EFS which is the
> built in administrator account for a non domain computer which probably is
> what was referenced to as "unknown user". So try logging on as the built in
> administrator account to see if that works or importing the domain's RA
> certificate/private key from a .pfx file for it. Efsinfo /r shows RA
> information. In a domain the RA can typically be the built in administrator
> account for the domain and the best place too look for that certificate
> would be on the first domain controller in the domain which may be the pdc
> fsmo. You can not request a certificate with the same private key if the
> private key does not exist with the certificate which is why you get that
> message. FYI the EFS certificate/private key live in the users profile. So
> if you have a backup of the users profile for that installation of the
> operating system you may be able to restore a copy of the profile and thus
> the private key assuming the backup contained the private key. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
>
> "Robert" <Robert@discussions.microsoft.com> wrote in message
> news:FF62B5A2-3172-47AD-B31B-261B26646219@microsoft.com...
> > Hi,
> >
> > I am looged in to a standalone W2K machine as the user who encrypted the
> > files. Efsinfo and MMC Certificates have indicated that my certificate
> > thumbprints are the same. Efsinfo however states that the user is unknown
> > even though CN=<myuser>..not sure if that matters. An intersting side
> > note
> > is that when I attempt to request a certificate with the same key from my
> > personal efs certificate I receive an error message stating that the
> > selected
> > certificate has no private key. Any help would be appreciated.
> >
> > TIA,
> > Robert
>
>
>

• Next message: Will: "EventID 534: User has not been granted requested logon type"
• Previous message: SMO: "How to Delegate DHCP"
• In reply to: Steven L Umbach: "Re: Cannot Decrypt Files"
• Next in thread: Steven L Umbach: "Re: Cannot Decrypt Files"
• Reply: Steven L Umbach: "Re: Cannot Decrypt Files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: XP Encryption Fudge-up. Trying to help my father-in-law ... He needs the original certificate and private key ... He should have exported his EFS certificate and ... (microsoft.public.security) Re: EFS encrypt files: Changed PW now cant access... :-( ... Assuming the EFS certificate AND private key are in the user's profile you ... need to change the user account password back to what it was before they ... (microsoft.public.windowsxp.security_admin) Re: Self-Signed EFS and AD ... EFS needs your private key available locally to work. ... Certs are public infomation and hence published to AD. Private keys ... > Certificate instead of creating a new one every time I change a PC? ... (microsoft.public.windowsxp.security_admin) Re: efs and "encryption" overall... help? ... What I referred to was that the only way to make totally sure that the EFS ... encrypted files are safe is to export/delete the certificate and private key ... require the user to enter the password used to protect the private key. ... >> uses much stronger encryption to encrypt EFS files, ... (microsoft.public.windows.server.networking) RE: SIMple SSL question ?? ... I believe your book is instructing you to keep the private key secure. ... you use the certificate request wizard in IIS to install the cert after it's ... the certificate that's just been installed. ... If an attacker retrievs the SSL certificate, ... (microsoft.public.dotnet.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint