Re: EFS recovery agent in Default Domain Policy with a self signed

From: Brian Komar <bkomarr@xxxxxxxxxxxxxxxxx>
Date: Sat, 14 Apr 2007 17:44:35 -0500

On Fri, 13 Apr 2007 20:56:00 -0700, Daniel Sorokins wrote:

ok.

I export key and certificate with cipher (using pss id 887414), then i
import this in domain GPO (efs recovert agents....) , also i import this in
AD (user-certificates published).
but this not work (this user is unable to open o disable encrytion in
files), when gpo update computers, this user is defined in each file as
recovery, but when this user logon an try open the message is "access denied).

If i create an certificate with MS CA, then this work OK.

<snip>
What you are forgetting is that EFS has nothing to do with the user
account, and everything to do with who owns/possesses the private key of
the EFS recovery agent.
Just logging in as the user will not work. It does work when you request
the certificate from the Microsoft CA because you are logging on *with* the
account that requested the certificate *at* the computer where you made the
request.
If you generate the certificate with cipher, you get to objects: a .cer
file which you correctly imported into AD, and a .pfx or .p12 file that you
must import into the local user account.
It does not matter which account in fact. Any account will do

HTH,
Brian
.

References:
- Re: EFS recovery agent in Default Domain Policy with a self signed cer
  - From: Roger Abell [MVP]

Prev by Date: Re: EFS recovery agent in Default Domain Policy with a self signed
Next by Date: Re: There are currently no logon servers available to service the logon request - how to fix this error? i get it when trying to access a share one hop away.
Previous by thread: Re: EFS recovery agent in Default Domain Policy with a self signed
Next by thread: There are currently no logon servers available to service the logon request - how to fix this error? i get it when trying to access a share one hop away.
Index(es):
- Date
- Thread

Relevant Pages

RE: Installing SSL on SQL Server 2000
... The MSSQLServer service is running under a domain user ... The account that I used to request the ... certificate was a domain admin account. ...
(microsoft.public.sqlserver.security)
Re: Sample Logon Script
... > Re-entered push account and here is some of the CCM.log ... > Submitted request successfully SMS_CLIENT_CONFIG_MANAGER ... > name "ZRWKSHYMAN", in queue "Processing". ... > ---> Trying each entry in the SMS Client Remote ...
(microsoft.public.sms.admin)
Re: IIS 6 Directory Services Mapping ACL Problems
... It would appear that you can not delegate Certificate based credentials. ... IIS does not have the user's password, so it can't just logon to the remote ... file server as the user directly. ... Lastly - if you want to see what account is being used to access the remote ...
(microsoft.public.inetserver.iis.security)
Re: Sample Logon Script
... Re-entered push account and here is some of the CCM.log ... Stored request "ZRWKSHYMAN", machine name "ZRWKSHYMAN", ... Getting a new request from queue "Retry" after 100 ...
(microsoft.public.sms.admin)
Re: Sample Logon Script
... Check to make sure the account specified has local admin rights on the ... >>> Getting a new request from queue "Retry" after 100 ...
(microsoft.public.sms.admin)