Re: EFS and DRA. Admin unable to decrypt

From: yoggie (yoggie@hotmail.com)
Date: 02/16/03 

From: "yoggie" <yoggie@hotmail.com>
Date: Sun, 16 Feb 2003 14:33:33 -0800

Hi Ellen

Im sorry Im afraid i did make a slight error in regarding
to importing the *.PFX into the local group policy > the
only option is to import the *.CER & then import the *.Pfx
into the "personal store" of the MMC certificates snap in.

Im just curious ellen, seen as how u have defined the DRA
& also have the *.pfx in the "personal store" > have u
tried creating a new user account-logging in with the
details of that new user account-encrypting some files-&
then logging out as that user- then logging as DRA & try
to access those files ?

If u check the properties of the file - click advanced
button & then on the "compress and encrypt attributes" are
of the screen click the "details" button -- does it show u
who the DRA is if not i suspect the DRA may have being
created after the file was encrypted by the user &not
before ,

let me know how it's progressign ?

>everything you told me is ok and I understand it, but i
still have
>the problem.
>
>Itīs clear that the DRA and his certificate (.cer
and .pfx ) must
>be the first thing on the machine, after that I log in as
a user and encrypt
>a file.
>
>I also imported the .pfx file in the personal-store of
the certificate
>snap-in. I checked it and I can see in the properties
that the certificate
>has a private key, so i am sure he has taken the .pfx
file.
>
>When I import the .pfx file in the personal-store he
shows me in the
>properies
>that the certificate is not trusted. But I think this is
also ok, I have
>read that he makes a
>self-signed certificate (which is always not trusted)
when you are on a
>stand-alone PC
>and EFS accepts it for valid.
>
>(By the way I made a test and imported it in the trusted
people store
>too.The properties tell
>me that now I have a trustet certificate but the effect
is just the same.
>I am not able to decrypt.)
>
>In your first answer to me you wrote that I should also
try to import the
>..pfx file in the local
>group policies. Thatīs not impossible, the Import-wizzard
gives me only the
>possibility to import .cer files, no other
>extensions are available. I donīt know another way how I
could import the
>..pfx file in the local group
>policies without an wizzard. Do you?
>
>But I donīt think that there is something wrong with the
certificate itself,
>because when I log in as a user and look at
>the properties of the encrypted file I see that the DRA
is listed and I see
>the thumbprint of the DRA. The thumbprint
>is exactly the same as shown in the properties of the
certificate of the DRA
>when I am logged in as DRA.
>When the thumbprint is identical then I should be able to
decrypt the file.
>But it doesnīt work.
>
>Slowly but clearly I get mad about this.
>
>regards
>Ellen
>
>
>
>
>
>
>
>
>
>
>"yoggie" <yoggie@hotmail.com> schrieb im Newsbeitrag
>news:024a01c2d2ea$b4f43a40$a201280a@phx.gbl...
>>
>> Create the PFX/CER via the cipher r:/ command
>>
>> Then import the "CER" into the Windows settings/securit
>> Settings/Public key policies/Encrypting file system
>> container of the group policy which u can get into by
>> typing gpedit.msc via start/RUN >
>>
>> Now this is your missing link the "CER" is only for
>> identifying the "recovery agent" what u need to do is
>> import the "PFX" which was generated via the cipher/r:
>> command into the certificates "Personal store" > simply
>> locate the "PFX" & double click on it & all should be
>> sweet after that >
>>
>> NOTE: The Recovery agent must be created & the PFX
>> imported into the personal certificate store of the
>> certificates snap in before any user encrypts files so
the
>> Recovery agent can have access to those files
>>
>> regards
>>
>> yoggie
>
>
>.
>