Re: EFS and Certificate Services

From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 08/25/05 

Date: Wed, 24 Aug 2005 18:13:51 -0500

Answers inline:

In article <3659CB09-D379-4DC3-9C8C-2EF8690EF7D2@microsoft.com>,
Rschraeger@discussions.microsoft.com says...
> Ok I'm hopping that this is a bug in the software but in reality its realy
> bugging me.
>
> I created a Enterprise Root CA with a Enterprise Subordinate CA for issuing
> EFS certificates. The Root CA is offline.

An Enterprise Root CA computer cannot be offline. An enterprise Root CA
must be a domain member, and integrates with AD, not allowing it to be
removed from the network.

> The client, a 2000 pro machine, is in the Domain and the user is a normal user of the domain (domain users)
> and is in the administrators group on the local machine.
>

No need to be in the local Administrators group

> When the user encryptes a file a certificate from the Subordinate CA is
> issue. I check the thumbprint of the file and the certificate which matched.
> So far..so good. Then 5 minutes or so later a second certificate for EFS is
> issued from the CA. This certificate has a different thumbprint and is never
> used for EFS. Why the two certs? and how can I get only one!

The best practice is to issue the certificates *before* any encryption
is attempted. I would recommend a custom v2 certificate template that
implements key archival. Ensure that it is deployed using CAPICOM before
attempting encryption.

Where are they doing the encryption? If they are issued a single
certificate, the client should not request another certificate unless
encryption is attempted on a remote server. In this case, another cert
would be requested for storage in the user's profile on the remote
server.

>
> PLEASE HELP!!!
> 

-- 
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian

Relevant Pages

  • Re: Windows Mobile 6.1 Wi-Fi Support
    ... On your device you should see WPA2-PSK and WPA2 as the encryption options. ... For my corporate we use WPA2 enterprise and I can connect my Touch Pro with no problem - after I got the certificate from IT. ... You can change the encryption and method if you go into the settings of the WiFi connection in Start>Settings>Connections>Wireless. ...
    (microsoft.public.pocketpc.wireless)
  • Re: Difference between Certificate Authorities
    ... If my Enterprise Root is crashed then certificate issue by Enterprise root ... Root CAs Vs Subordinate Vs Issuing CAs. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Enterprise Root CA change
    ... If you want to replace your existing Enterprise CA to a new computer you can ... CA to a new computer by backing up the existing CA keys, certificate ... I would like to setup a new Win2k3 enterprise root ...
    (microsoft.public.windows.server.security)
  • Re: Certificate Services with multiple forests
    ... The enterprise CA is limited to servicing one forest ... > Anyway to use Enterprise CA's with multiple forests? ... > forest A. The enterprise root CA will be in forest B. ... > try to get a certificate from forest A, it says it's denied by policy ...
    (microsoft.public.win2000.security)
  • Certificate Services with multiple forests
    ... Anyway to use Enterprise CA's with multiple forests? ... production forest A, and a proposed forest B which will hold a list of ... forest A. The enterprise root CA will be in forest B. ... try to get a certificate from forest A, it says it's denied by policy ...
    (microsoft.public.win2000.security)