Re: EFS with files on network share
From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 02/26/04
- Next message: Roger Abell: "Re: Default Administrator lockout"
- Previous message: isim: "A strange issue with Windows Server 2003"
- In reply to: Gordon: "EFS with files on network share"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 Feb 2004 19:53:57 -0800
1. Choose any certificate that has a private key on the target machine. If
your users have roaming profiles, this can be easy. If not, you might be
shuffling certificates around and trying to export certs with their private
keys on the server. It's not pretty.
2. There is a cache, but I'm not sure that's what you're seeing. Are you
sure it's using a completely different cert than the one you picked? You
selected the cert using the UI on XP or Server 2003 or you wrote your own
app?
3. The only time EFS does revocation checking is in the "add user through
the UI" codepath. I guess you are using the UI. If (on the server) you
open the certificate UI for the cert you're trying to add, is there a big
red X of "something's wrong"? How about on the client-side?
#3 is the really disturbing one for me - if your CA's online and the certs
are ok I'm not sure quite what could be going wrong. If everything checks
out but the add user still fails with the revocation error, please let me
know. I'd like to be able to reproduce a problem like that.
-- Drew Cooper [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. "Gordon" <gdccyuen@alumni.cuhk.net> wrote in message news:uPiU9m0%23DHA.2576@tk2msftngp13.phx.gbl... > Anyone doing file encryption on network share? > > I tested using 2 accounts: X and Y, and did have some success. However > there are a lot of thing I can't understand: > > 1. X and Y both have multiple EFS certificates (result of using > Auto-enrollment from AD integrated CA?), should X choose the most recent > one or what? > > 2. If X want to encrypt the file using another certificate from Y, the > server refuse and continue to use the previous picked one. Some cache on > server need to be cleaned? > > 3. All of a sudden, X could not add any certificate with an error > 'Revocation Server is offline'. I try to capture the network traffic but > found no traffic at all which seems to check anything about certificate > revocation, any idea? > > Gordon
- Next message: Roger Abell: "Re: Default Administrator lockout"
- Previous message: isim: "A strange issue with Windows Server 2003"
- In reply to: Gordon: "EFS with files on network share"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
