Re: EFS Certificates in AD 2003

From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 30 Jun 2006 11:55:36 -0500

Unless you are using a roaming profile the only way you can encrypt files on
a computer is to have a user EFS certificate AND private key on that
computer. Since one did not exist on the server it created one for you as
apparently it did not have access to the CA. If you had imported your EFS
certificate and private key into your user profile on the server using a
password protected .pfx file that you exported from the computer that did
contain your EFS certificate and private key then it would have been used.
Otherwise if you logon to ten different computers using EFS you will have
at least ten different EFS certificates/private keys. Yes this does make
EFS confusing and challenging in environments where you want to have EFS
files on more than one computer. Be sure to read the link below on EFS best
practices if you have not seen it yet. It is not that hard for a user to
loose permanent access to his own EFS files. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- PKI
best practices.

"BubBeard" <u23620@uwe> wrote in message news:628d97196ee6a@xxxxxx

I have an Enterprise 2003 CA that is issuing Basic EFS certificates. When
I
encrypt a file on a local computer running XP, the file is encrypted with
the
Basic EFS certificate that was issued by the CA.

Here is my problem. When I encrypt a file on a different server from my
XP
machine, the server encrypts the file with a user signed certificate. It
is
not using the Basic EFS certificate from my machine. The certificate was
auto generated by the remote server since I had never encrypted a file on
the
server before.

What is going on? I have looked through the registry of the remote server
and I cannot find the certificate that is assigned to my machine so I
don't
know how to remove it.

Follow-Ups:
- Re: EFS Certificates in AD 2003
  - From: BubBeard

References:
- EFS Certificates in AD 2003
  - From: BubBeard

Prev by Date: EFS Certificates in AD 2003
Next by Date: How to add a domain user as a Data Recovery Agent
Previous by thread: EFS Certificates in AD 2003
Next by thread: Re: EFS Certificates in AD 2003
Index(es):
- Date
- Thread

Relevant Pages

Re: Folder Redirection Data Encryption
... user profile on that server and either encrypt a file there to generate a encryption ... encrypt a file on it creating a EFS certificate/private key in that profile. ...
(microsoft.public.win2000.networking)
Re: Folder Redirection Data Encryption
... >First the remote server must be trusted for delegation ... >certificate/private key or import your existing one into ... >encrypt a file on it creating a EFS certificate/private ...
(microsoft.public.win2000.networking)
Re: remote DEcryption problem
... > 1)- Where is the shared folder located, i.e., on a domain ... If just a server, you have to ... This will provide a central store for all EFS ... >>encrypt file on the server by a domain client. ...
(microsoft.public.win2000.security)
Re: EFS network folders
... EFS was introduced to prevent abuse from unauthorized access to stolen hard ... So I thought that enabling EFS on a folder would encrypt contents making ... >> folder on server, from the workstation, to encrypted status. ...
(microsoft.public.win2000.security)
Re: EFS and multiple users
... Let say I encrypt a file on my PC. ... Now I have to copy it to the server ... Files will usually inherit parent folder settings (permissions, EFS ...
(microsoft.public.win2000.security)