Re: EFS

From: Herb Martin (news_at_LearnQuick.com)
Date: 06/14/05

• Next message: AnttiH: "Re: Everyone take ownership"
• Previous message: Jinjuku: "MS KB Article 231270, does any one know where it is?"
• In reply to: Pat Hoffer [MSFT]: "RE: EFS"
• Next in thread: Paul Adare: "Re: EFS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 13 Jun 2005 23:09:21 -0500

"Pat Hoffer [MSFT]" <pathoff@online.microsoft.com> wrote in message
news:4214AEAA-ECFF-43D1-9750-579C73BFF54A@microsoft.com...
> When a user encrypts a file remotely on a server, the EFS certificate/key
is
> generated for the user on the server. (A profile is created for the user
on
> the server and the certificate/key are stored in that profile.)

The above is inaccurate or misleading at best.

A roaming profile might be created
on SOME server if you set it up that way, but the location of
the roaming profile is totally unrelated to the file server where
the user encrypts files.

If they happen to be the same server that is merely an accident
and never automatic (admin must setup for roaming profiles.)

> If you want
> to back up that certificate/key, you would have to log onto the server as
the
> user in order to access the profile data.

Login as the user is correct but you could logon from any machine
in the domain (trust relationship actually) where the profile was
available.

> (The certificate/private key can
> only be backed up from the Certificates > Personal store for that user.)
If
> you configure your user to have a roaming profile, the server will use the
> EFS certificate/key from the roaming profile (or generate a
certificate/key
> for that profile if it has none).

Actually this is the profile that will store the users file keys.

There is no separate profile just because of EFS.

> The user will then be able to access the
> same certificate/key from their roaming profile on their workstations and
> back them up there.

Are you saying a user with a non-roaming profile will actually
have a server specific certificate stored on that particular server?

Do you have a reference for this behavior...?

-- 
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
>
> Thanks.
> Pat
>
> -- 
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "Roland Hübner" wrote:
>
> > Hallo,
> > I have installated on my Windows 2000 Server a "Enterprice root CA".
> > I open the mmc on a Workstation with the Certificate Snap-In. I select
> > "Certificate Manager" then "Active Directoy User Opject".  Now, appears
my
> > Certificate of efs.
> > If I want to export this certificate then I cannot to select the private
Key.
> > Under "Certificate Manager" "Personal" isn`t a certificate. I can create
> > under "Personal" my own certificate of efs, I open the "Internet
explorer"
> > and my address of Root CA, for excample: http://servername/certsrv. I
create
> > a certificate of efs with a "private Key" that can I export. Problem: If
I
> > create a File on the Server und encryption this file, then will
encrytion
> > this file with Certifivate under "Active Directory User Opject.
> > Why? Can I configure the CA, that takes my own Certificate?
> > Or, Can I of Administrator to create a Certificate with a "private key"
of
> > export and this is available on the Domäne? Or I must delete the
EFS-Template?
> > Thank you!
> >
> > "Roland Hübner" schrieb:
> >
> > > Hallo,
> > > I have a Windows 2000 Server with Active Directory and 10 Clients.
Now, I
> > > want to Data encryption on the Server. I have installed on a Windwos
2000
> > > Server a CA. A User from a Workstation can encryption a File, this is
ok. The
> > > User allocate gets the Certificate.
> > > Therewith, the System very safely the User  want to safe the private
key on
> > > a Disk.
> > > But, I cannot export the private key. This function cannot selected.
> > > What can I do, at the Private key to export?

• Next message: AnttiH: "Re: Everyone take ownership"
• Previous message: Jinjuku: "MS KB Article 231270, does any one know where it is?"
• In reply to: Pat Hoffer [MSFT]: "RE: EFS"
• Next in thread: Paul Adare: "Re: EFS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: EFS File Share Help ... And your roaming profile cannot work properly. ... If user tries to encrypt a remote file/folder stored ... user, and subsequently requests, or generates a self-signed EFS ... The certificate and private key are loaded in a local profile ... (microsoft.public.windows.server.sbs) Re: EFS Disabling ... >> I had to reinstall XP on a computer and so I copied my EFS ... They have the same account names ... > You must have exported your EFS security certificate (onto a floppy ... > claiming that if you included your profile in your backups that there ... (microsoft.public.security) Re: Problem setting the "Valid To" for EFS certificates ... You seem to be THE MAN on EFS since I ... credential roaming will work is that the server will request the private key ... unless an EFS certificate and private key exist in the user's profile on ... Basic EFS template and created a new template. ... (microsoft.public.windows.server.security) Re: Serious EFS Issue ... profile is there with the application data on the Server C:\ Drive. ... It states as you said that she has a private key when using ... > If you still need to check for the existence of EFS certificate run ... (microsoft.public.windows.server.security) Re: Access Denied reading a shared encrypted file in Active Directory ... Microsoft does not recommend sharing EFS files on a network share unless the ... users have roaming profiles due to the complexity of managing the user's EFS ... have a user profile on the server and encrypts a file on that server then ... Directory in order to impersonate the user to request a user certificate ... (microsoft.public.windowsxp.security_admin)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint