Re: EFS encrypted files are not accessed through network on Win2K server

Hi Brian,
thanks for fast reply!

Hi, there!
I have Win2K Adv server with shared folder. There's subfolder at the
lower level encrypted by EFS. I need to access it from client (under
the same account). I don't use CA.

My steps:
1. Export certificate and private key from server (MMC->Certificate-
Current User->Personal->Certificates-> [account name] -> Export) to
shared drive somewhere.
2. Import certificate and private key to client computer (MMC-
Certificate->Current User->Personal->Certificates->Import). It stores
now at the same place as on server.

Now I try to access encrypted files - 'access denied'

What do I do wrong????

Please advice.

You need to understand how EFS works.

I still cannot find any documentation about that... Some MS resources
are being like pieces..

When you encrypt files on a server,
the encryption/decryption is a local process *on the server*.
The server must be trusted for delegation and it *impersonates* the user

Sorry, I forgot to mention, it is definitely trusted for delegation. I
double checked...

When you did step 1, you possibly deleted the private key on export. You
will need to add it back. Also, you need to make sure that you are using
the correct private key (efsinfo /u /r /c will show the correct certificate
thumbprints that you need).

Using efsinfo on the server I could see 'users who can decrypt' and
'certificate thumbprint' I need. However, if I do efsinfo remotely
from client in shared folder I could see only 'users who can
decrypt' (no 'certificate thumbprint' ).
Despite it's the same user 'domain\username', I cannot read file from
client (access denied). Reading the same file on the server is no
problem.

Again, what we have:
1. Server is trusted for delegation.
2. Server has share with encrypted subfolder with some file. User
'domain\username' can locally read file with no problem.
3. Client computer connected to that share. Same user 'domain
\username' cannot read the same file (access denied).

Same question:
What do I do wrong????

Brian, I would really use your help here.

Step 2 was not required, as the certificate is never used on the client

Looks like you are right... What's the point to import it though?
Only if we copy encrypted stuff to this computer from somewhere?..

Brian- Hide quoted text -

- Show quoted text -


.

Relevant Pages

  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)
  • This is going straight to the pool room
    ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
    (comp.os.vms)
  • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
    ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
    (Full-Disclosure)
  • Re: What doesnt lend itself to OO?
    ... > rather than client code. ... no way to do that without also touching the object with clock semantics ... will not encapsulate both clock semantics and network semantics. ... The server can do whatever it wants ...
    (comp.object)
  • RE: Fax monitor incoming + outgoing calls?
    ... problem between the client computer and the SBS server. ... Client is using the internal IP address of the SBS server as the ... To the folder redirection GPO issue: ...
    (microsoft.public.windows.server.sbs)