Re: About EFS and local certificate that I want to export

You need to get your head around how EFS works.
EFS is local file encryption (always). When you connect to a server using
SMB connections, the file is transferred to/from the server in the clear.
The encryption/decryption takes place at the server.

In your case, you added the incorrect EFS certificate in step 4. You would
need to add the EFS certificate that Pascal would use *on* computer XP_B.

When Pascal connects over the network to XP_B, the computer account for
XP_B impersonates Pascal, and generates a new EFS certificate for Pascal.

Even with a certificate authority, you would run into the same issue.
I recommend that you investigate Certificate Roaming Service on
microsoft.com

Brian


On Fri, 04 May 2007 15:17:59 +0200, Pascal wrote:

Hello,

I have test something but I am not sure that I am right !

I have two computers XP_A and XP_B member of an active directory domain
with no certificate authority.
There are two users : Pascal and Isabelle.

1. Pascal logs on XP_A and encrypt a file with EFS.
2. Pascal exports his certificate through Internet explorer (with or
without the private key, the issue will be the same)
3. Now, on XP_B, an admin install the Pascal certificate on the
computer (in the "Trusted People" store).
4. Isabelle logs on XP_B and encrypts a file with EFS, then she adds
the Pascal certificate to authorize him to access this encrypted file.
5. Pascal is connected to XP_A and opens the encrypted files for which
his certificate is attached on XP_B,but he still has an access denied.

Question : Why Pascal is not able to access this file from the network
? (From XP_A to XP_B)

More generally, if I export an EFS user certificate from one computer
to another, can I access the encrypted file through the network.

With a certificate authority, I think there will be no problem but I
would like to understand why like this it is not working.

Thank you
.

Relevant Pages

  • RE: Help Newbie..Upload file from SQL Server
    ... Enable SSL Encryption for SQL Server 2000 with Microsoft Management ... Steps to Use to Install a Certificate on a Server with Microsoft Management ... Steps to Enable Encryption for a Specific Client ...
    (microsoft.public.sqlserver.programming)
  • RE: Relative Security Provided by Cached Domain Credentials?
    ... certificates assigned to them, with each certificate having a set number ... smart card management tools which provide private key archival for smart ... AND the cert is also valid for EFS, they likely would be able to do ... What you probably could get to work for local file encryption, ...
    (Focus-Microsoft)
  • Re: What am I doing wrong?
    ... > after I make the EFS work. ... Then I've exported my encryption certificate to a file on a diskette. ... > certificate into a file on a floppy, and I did select the "Yes, export ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Serious EFS Issue
    ... user's information it copied her Documents and Settings to the 2003 server. ... I am also using folder redirection with her My Documents folder, ... where I am having issues with her data encryption. ... > for use with EFS (use the account to look in the Certificates ...
    (microsoft.public.windows.server.security)
  • Re: Using EFS for laptops in a domain
    ... to avoid EFS on the server except for some very specialized uses. ... but then I couldn't set or clear the encryption ... I'll give the folder disabling ...
    (microsoft.public.windowsxp.security_admin)