RE: troubleshooting shared EFS on Windows XP

From: Pat Hoffer [MSFT] (pathoff_at_online.microsoft.com)
Date: 06/23/05 

Date: Wed, 22 Jun 2005 20:26:02 -0700

To be able to share encrypted files remotely, the machine account hosting the
share must be "trusted for delegation" and both users must have profile
directories on that machine. You can do this by having the second user log
onto the machine and encrypting a file so that his profile contains an EFS
certificate/key. After that the first user can add that certificate to files
for remote access by the second user. (The added certificate must be the
same certificate that's in the profile directory. Check the thumbprint in
the certificate properties.) If the second user has a roaming profile with
an EFS certificate published to AD, the first user can add that certificate
to files. In the roaming profile case, a logon is not necessary.

I hope I haven't completely confused you, but sharing encrypted files
remotely is a little tricky--but it can be done. You can read more about it
here:
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_hzqx.asp
Look under Ch 17 > Remote EFS Operations on File Shares and Web Folders >
Remote EFS Operations in a File Share Environment.

Thanks.
Pat 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
"dpapas665" wrote:
> I've been trying to get an EFS encrypted file located on a user's
> machine available to another user.  Both machines are in the domain,
> NTFS permissions are wide open, and all relevant users' EFS
> certificates have been imported and show up both in the "Details"
> window and in the "trusted people" store.  By all accounts, the added
> user should be able to open this file, but I've had no luck so far
> makig this happen.  Any ideas on how to proceed with troubleshooting
> this issue?  
> 
> Thanks,
> -D.
> 
>

Relevant Pages

  • Re: Certificate not shown with efsinfo /y
    ... that indeed makes efsinfo/y show the certificate. ... > encrypted files on a remote computer once the certificate was shown by ... > So the real problem is that I have encrypted files on computer A. I've ... >> Autoenrollment updating the cert should update the "current" cert, ...
    (microsoft.public.win2000.security)
  • Re: Certificate not shown with efsinfo /y
    ... certificate and private key under the same user domain user account. ... should be trusted for delegation to allow remote access to encrypted ... >> So the real problem is that I have encrypted files on computer A. I've ...
    (microsoft.public.win2000.security)
  • Re: Connecting a remote workstation to a domain
    ... then ship to the remote office but the remote office computers were ... do this using a profile pre-configured on the server LAN then copied ... Do this *before* the users' roaming profile folders ...
    (microsoft.public.windows.server.sbs)
  • Re: Connecting a remote workstation to a domain
    ... then ship to the remote office but the remote office computers were ... do this using a profile pre-configured on the server LAN then copied ... Make sure users understand that they should not log into multiple computers ...
    (microsoft.public.windows.server.sbs)
  • RE: EFS File Share Help
    ... And your roaming profile cannot work properly. ... If user tries to encrypt a remote file/folder stored ... user, and subsequently requests, or generates a self-signed EFS ... The certificate and private key are loaded in a local profile ...
    (microsoft.public.windows.server.sbs)
Loading