Re: EFS Recovery Agent

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/25/05 

Date: Thu, 24 Feb 2005 21:41:34 -0600

Your RA certificate AND private key need to be on the computer where you try
to recover a file. If you did not create your RA certificate/private key on
that server you need to export it and the private key from the computer
where it exists to a password protected.pfx file. Then copy that file to the
server and open the .pfx file to install it to the user computer store for
your account on the server. Use the mmc certificate snapin for user
certificate to verify that it exists in the personal/certificates folder and
that the private key exists as would be stated on the general page for the
certificate.. --- Steve

"Lee" <lee@nowehere.com> wrote in message
news:uNXPS3mGFHA.580@TK2MSFTNGP15.phx.gbl...
> Steve,
>
> Ok, after taking your advice this is what I have done.
>
> I used to Cipher to generate a recovery certificate on my PC.
>
> I edited my default domain policy adding myself as a recovery agent, using
> the certificate I created using cipher.
>
> I then had a test user encrypt a file on a file server in the domain.
>
> I then logged on locally to the file server as myself. When i then tried
> to decrpyt the file, it says "access denied"
>
> In the details of the encryption settings of the file, I am listed as a
> DRA, with the correct thumbprint.
>
> Any ideas ?
>
> TIA
>
> Lee
> "Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
> news:OoY9ZZjGFHA.2732@TK2MSFTNGP15.phx.gbl...
>> You can use the cipher /R command on an XP Pro computer to generate a
>> Recovery
>> Agent certificate which would be the logged on user. I suggest however
>> that you
>> create an enterprise CA for the domain even if you use it to issue that
>> one
>> certificate. It really is not that hard to do. If you want to try the XP
>> Pro
>> generated certificate be SURE to test it out first to make sure that it
>> works
>> the way you expect for domain EFS file recovery so as to not lose
>> permanent
>> access to any EFS files. You can use the efsinfo utility to then view the
>> RA
>> associated with any EFS files. I believe that existing files will need to
>> be
>> opened to update them with the new RA or that can be done via the cipher
>> command
>> from the logged on user for XP Pro. Be sure to keep a couple of copies of
>> the RA
>> certificate/private key stored in password protected .pfx files in safe
>> places. --- Steve
>>
>>
>> "Lee" <lee@nowehere.com> wrote in message
>> news:eRCLGMdGFHA.616@TK2MSFTNGP10.phx.gbl...
>>> Curtis,
>>>
>>> thanks for your reply, I had followed that document, however, when I
>>> try
>>> to add a recovery agent using the Add Recovery Agent Wizard, it tells me
>>> that "the selected user has no certificates suitable for EFS Recovery
>>> and
>>> cannot be selected as a recovery agent.
>>>
>>> So, I guess my question is, how do I create an EFS Recovery certificate
>>> for
>>> my user that I want to be a recovery agent
>>>
>>> TIA
>>>
>>> Lee
>>> "Curtis Koenig [MSFT]" <curtisko@online.microsoft.com> wrote in message
>>> news:fM5xOGdGFHA.1140@TK2MSFTNGXA02.phx.gbl...
>>> > The help file for Windows XP has a good set of steps for how to
>>> > specify a
>>> > recovery agent:
>>> >
>>> > <<<<<<<<<<<<<>>>>>>>>>>>>>>
>>> > To add a recovery agent for a domain
>>> > Open Active Directory Users and Computers.
>>> > Right-click the domain whose recovery policy you want to change, and
>>> > then
>>> > click Properties.
>>> > Click the Group Policy tab.
>>> > Right-click the recovery policy you want to change, and then click
>>> > Edit.
>>> > In the console tree, click Encrypted Data Recovery Agents.
>>> > Where?
>>> >
>>> > Computer Configuration
>>> > Windows Settings
>>> > Security Settings
>>> > Public Key Policies
>>> > Encrypted Data Recovery Agents
>>> > In the details pane, right-click, then click Add, and follow the
>>> > instructions.
>>> > Notes
>>> >
>>> > You must be logged on as an administrator or a member of the
>>> > Administrators
>>> > group in order to complete this procedure. If your computer is
>>> > connected
>>> > to
>>> > a network, network policy settings might also prevent you from
>>> > completing
>>> > this procedure.
>>> > To start Active Directory Users and Computers, open a Remote Desktop
>>> > Connection to either a Windows 2000 domain controller or a member
>>> > server
>>> > that has Windows 2000 Administration Tools installed. You must log on
>>> > to
>>> > the server as a domain administrator in order to complete this
>>> > procedure.
>>> > This operation can be performed on any sites, domains or
>>> > organizational
>>> > units within an Active Directory forest.
>>> > Adding a recovery agent from a file identifies the user as
>>> > USER_UNKNOWN.
>>> > This is because the name is not stored in the file.
>>> > Before you can add or create a recovery agent, you must configure
>>> > Group
>>> > Policy on your computer. For more information about using Group
>>> > Policy,
>>> > see
>>> > Related Topics.
>>> > <<<<<<<<<<<<<>>>>>>>>>>>>>>
>>> >
>>> > I would also suggest the following KB
>>> >
>>> > 223316 Best practices for the Encrypting File System
>>> > http://support.microsoft.com/?id=223316
>>> > --
>>> > Curtis Koenig
>>> > Security Support Engineer
>>> > Product Support Services, Security Team
>>> > MCSE, MCSES, CISSP
>>> >
>>> > This posting is provided "AS IS" with no warranties and confers no
>>> > rights.
>>> > Please reply to the newsgroup so that others may benefit. Thanks!
>>> >
>>> > --------------------
>>> >>From: "Lee" <lee@nowehere.com>
>>> >>Subject: EFS Recovery Agent
>>> >>Date: Wed, 23 Feb 2005 16:49:50 -0000
>>> >>
>>> >>Hi,
>>> >>
>>> >>Hopefully someone can advise.
>>> >>
>>> >>I am trying to setup EFS in my domain, I would like to change the
>>> >>default
>>> >>EFS recovery agent from Administrator to a user. We do not currenlty
>>> > have
>>> >>a CA, however, from what I have read, this is not necessarily
>>> >>required.
>>> >>
>>> >>Could someone please advise whether a CA is required, and if not,
>>> >>point me
>>> >>in the direction of some help on how to do this.
>>> >>
>>> >>TIA
>>> >>
>>> >>Lee
>>> >>
>>> >>
>>> >>
>>> >
>>>
>>>
>>
>>
>
>

Relevant Pages

  • Re: Private key generation
    ... As I wrote in my first answer to that thread - there are many situations when key pair is generated on trusted server. ... identity based encryption) simply requires generation of private key on server... ... High assurance keys (especially these that afterward are split in multiple shares using secret sharing schemes) may also require use of specialized equipment and computers that runs in a tempest/EM shielded locations. ... Default scenario supported by Microsoft Certificate Server is the most standard CA mode when CA just signs X509 certificate with emedded public keys. ...
    (microsoft.public.dotnet.security)
  • Re: Certificate key access under Network Service in IIS 6
    ... Haven't done that because I've been remoted in to the customer's server. ... It is likely the private key file but might be a registry key as well. ... I can get the signing process to work if I have the IIS Application Pool configured to run under SYSTEM but running under the preferred NETWORK SERVICE account the private key access of the certificate fails. ...
    (microsoft.public.dotnet.security)
  • Re: How to use certificates?
    ... I expect that server will know the client public key, ... > private key for that certificate. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Private key generation
    ... Some encryption schemes (like f.e. ... identity based encryption) simply requires generation of private key on server... ... Default scenario supported by Microsoft Certificate Server is the most standard CA mode when CA just signs X509 certificate with emedded public keys. ...
    (microsoft.public.dotnet.security)
  • Re: Client Certificates Issue
    ... "Active Directory User Objects" where the certificate is available, ... the Store Name for that store or, how can I access it using C#.Net code? ... not on your server. ... of the private key for the certificate they provided to the server. ...
    (microsoft.public.dotnet.framework.aspnet.security)