Re: EFS multiple certificates associated with single user
From: Pat Hoffer [MSFT] (pathoff_at_online.microsoft.com)
Date: 05/07/05
- Previous message: MowGreen [MVP]: "Re: Settings- Red X's on webpage instead of icons"
- In reply to: anita1766_at_yahoo.com: "Re: EFS multiple certificates associated with single user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 7 May 2005 13:18:04 -0700
The Certificates snap-in does not have access to the private keys for
CertA/CertB because those keys are encrypted with previous passwords. The
snap-in can only access (or export) keys encrypted with your current
password. AEFSDR is an application that has the functionality to decrypt
keys that are encrypted with previous passwords. That's why AEFSDR can
access those keys.
I couldn't reproduce your add-user scenario. The current certificate did
not get added to the file in my case. Perhaps you can find the answer here:
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prde_ffs_phvy.asp
Scroll down to the "Authorizing Multi-User Access." There's also much
information about EFS in general in the Resource Kit that might be helpful to
you. (Be sure to run "cipher /x" to back up your current certificate/key.
That's the best protection for any future issues.)
Thanks.
Pat
-- This posting is provided "AS IS" with no warranties, and confers no rights. "anita1766@yahoo.com" wrote: > Pat, > The problem does with the hotfix appear to be similar to mine in that I > did make password changes through expired password. But if it was the > same problem as the hotfix one, I should have been able to recover my > files once I changed back to my old password. I could not. > However, I COULD recover files through aefsdr after supplying the same > passwords. Now I know which passwords apply to each of the files. > > I am going to talk about specifics here if I may. Currently there are > three certificates in the personal store, CertA, CertB and CertC. CertC > is the current certificate. Problem files are encrypted with > CertA/CertB. (Actually there is another CertD, but I'll get to that > when I've unserstood this problem!) > > I tried to do what you suggested, certificates addon: personal > certificates > tasks> export private key. "Yes, export private key" is > available only for the current user certificate. CertA and CertB that > have the option greyed out. > If the private key is not really available/corrupted, how come the > 'aefsdr' finds the private keys for CertA,CertB by scanning the drive > and then proceeds to decrypt the file with these keys ? > > On each of the files wityh either CertA/CertB, I tried the following: > Adding to "Users who can trans...". The available list of unadded > certificates showed CertC, the current certificate. I clicked on it and > added, it did not complain. Just did nothing, closed the window. Does > not even give me an error message. > > So is there some code somewhere which compares certificate thumbnails > while listing potential addable certificates but compares just user > names just before adding ? > > Thanks > >
- Previous message: MowGreen [MVP]: "Re: Settings- Red X's on webpage instead of icons"
- In reply to: anita1766_at_yahoo.com: "Re: EFS multiple certificates associated with single user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
