Re: troubleshooting shared EFS on Windows XP

From: dpapas665 (dpapas665_at_yahoo.com)
Date: 06/23/05 

Date: 23 Jun 2005 09:20:37 -0700

OK, I logged locally into the machine and imported my cert (including
private key) to the remote machine and turned on "trust computer for
delegation" in AD. Thus far, that solved the problem in that, if a file
is encrypted, both users can decrypt it when logged lcoally into that
machine. However, I found I was still unable to remotely encrypt or
decrypt it. Trying to decrypt, got "access denied". Trying to encrypt,
got the error: "the requested operation requires delegation to be
enabled on the machine".

So, the remaining problem looks to be the "trust computer for
delegation". I checked the userAccountControl field for the computer
account in ADSIEdit to see if the setting had taken, and it appears to
have the value (528834) required as specified by MS KB# 305144, and the
user account doesn't have the "account is sensitive and cannot be
delegated" property set. So, at this point I'm not sure why the remote
machine won't impersonate the user as pointed out in the article you
referred me to:

Remote EFS operatons in a file share environment
6. EFS must impersonate the user to obtain access to the necessary
public or private key. This requires the following:

   1. The computer must be a domain member in a domain that uses
Kerberos authentication because impersonation relies on Kerberos
authentication and delegation.
   2. The computer must be trusted for delegation.
   3. The user must be logged on with a domain account that can be
delegated.

Thanks again,
-D.

Relevant Pages

  • Re: kerberos SQL service accounts
    ... Given service with host name "SQL1" configured to run under account SERVICEACC1 needs to make a remote call to another SQL box with host name "SQL2" with SQL running under domain account SERVICEACC2 using delegation: ... On the account SERVICEACC1, it should have "Trusted for delegation" "to specific services" with MSSqlSvc/SQL2:1433 as the target. ... We do have SQL servers that need to make a remote call to another SQL server, both SQL servers in question are running there services as a domain user account. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Computer object is a container? User properties has delegation
    ... just changed the user's workstation? ... Access" for Remote acess permission. ... context) that is trusted for delegation can access resources on another ... The Delegation tab contains the following: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Field greyed out when account ops try to unlock account
    ... our corporate locations and 5 remote DCs at remote locations all with a global catalog. ... Occasionally one of our early morning staffers will need to unlock an account, but the check box will be greyed out. ... I had them in the account operators group from our old NT4 domain and read some things about delegation. ...
    (microsoft.public.windows.server.active_directory)
  • Re: troubleshooting shared EFS on Windows XP
    ... "the requested operation requires delegation to be ... > account in ADSIEdit to see if the setting had taken, ... at this point I'm not sure why the remote ... EFS must impersonate the user to obtain access to the necessary ...
    (microsoft.public.windowsxp.security_admin)
  • Re: unable to print to a remote local printer
    ... If you are attempting to remotely create a Local Port that targets another ... I think delegation has to be done within the trusted domain. ... >> Remote machine is not part of the domain. ...
    (microsoft.public.win2000.printing)