EFS/DRA

Secure Home | Search | About

Lost Password?

Microsoft Applications Security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

EFS/DRA

Steve

07-07-2008

Re: EFS/DRA

Brian Komar \(M...

07-07-2008

Re: EFS/DRA

Ste

07-07-2008

Re: EFS/DRA

Brian Komar \(M...

07-07-2008

Re: EFS/DRA

Ste

07-10-2008

Re: EFS/DRA

Alun Jones

07-20-2008

Re: EFS/DRA

Ste

07-24-2008

Re: EFS/DRA

Brian Komar \(M...

07-25-2008

Re: EFS/DRA

Ste

08-01-2008

Posted by =?Utf-8?B?U3RldmU=?= on July 7, 2008, 12:40 pm

If you were Registered and logged in, you could reply and use other advanced thread options

All,

I could really use some help with this EFS/DRA stuff. One thing at a time I
suppose.

I have successfully published a DRA via Group Policy (Win2k3/AD). I created
an encrypted file on an XP2 machine. When I click details of the encrypted
file, I can see the DRA. Associated with the user is a Cert Thumbprint.

I am logged onto a DC with the DRA user and when I open the Certificates
snap-in for mmc, the under Personal --> Certificates, the cert is there (with
the same Thumbprint). Likewise the same cert is listed under Active Directory
User Object --> Certificates. However when I try to access the files on the
XP machine from the DC (file share) it says access is denied. I am trying to
test the data recovery agent before implementing EFS on my network. Did I
miss a step?

Possibly related or unrelated, I am also havinga problem with DC issued
certs vs. self-signed certs. I was testing with QA and found that I needed to
add his self-signed cert to the encrypted file so that he could view it. He
has been autoenrolled for a efs cert (duplicate of Basic EFS) but it doesn't
appear to be working. What did I miss here? Also, I have noticed that many
users have been autoenrolled for the efs cert multiple times (viewing the
Certification Authority --> Issued Certificates).

Any and all help would be greatly appreciated.
-- Steve

Posted by Brian Komar \(MVP\) on July 7, 2008, 1:53 pm

If you were Registered and logged in, you could reply and use other advanced thread options

some initial answers inline...

> All,

> I could really use some help with this EFS/DRA stuff. One thing at a time

> I

> suppose.

> I have successfully published a DRA via Group Policy (Win2k3/AD). I

> created

> an encrypted file on an XP2 machine. When I click details of the encrypted

> file, I can see the DRA. Associated with the user is a Cert Thumbprint.

This is good news <G>

> I am logged onto a DC with the DRA user and when I open the Certificates

> snap-in for mmc, the under Personal --> Certificates, the cert is there

> (with

> the same Thumbprint). Likewise the same cert is listed under Active

> Directory

> User Object --> Certificates.

Does it state that you have the private key associated with the certificate?
If yes, then export it now!! Do not pass go, do not wait for anything.
This is the only copy of the certificate and private key\

> However when I try to access the files on the

> XP machine from the DC (file share) it says access is denied. I am trying

> to

> test the data recovery agent before implementing EFS on my network. Did I

> miss a step?

To use the key as the DRA, you must log on *locally* at the computer. You
are connecting over the network. You are connecting over the network. You
are creating a profile on the remote machine, generating a new EFS
certificate, and attempting to open it with that certificate. The
encryption/decryption is all remote.
It is not a transfer of the encrypted file to your machine. It is a remote
decryption and transfer of the file in the clear.

> Possibly related or unrelated, I am also havinga problem with DC issued

> certs vs. self-signed certs. I was testing with QA and found that I needed

> to

> add his self-signed cert to the encrypted file so that he could view it.

> He

> has been autoenrolled for a efs cert (duplicate of Basic EFS) but it

> doesn't

> appear to be working. What did I miss here? Also, I have noticed that many

> users have been autoenrolled for the efs cert multiple times (viewing the

> Certification Authority --> Issued Certificates).

There is a KB article (sorry no time to search for it now) that prevents the
creation of self-signed certificates. In addition, you want to enable
Credential Roamining Services or Roaming profiles to prevent the re-issuance
of EFS certificates.

> Any and all help would be greatly appreciated.

> -- Steve

Posted by =?Utf-8?B?U3RldmU=?= on July 7, 2008, 3:11 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Thanks for the response.

I exported the private key, assigned it a password and saved it. Now it says
there is a private key that corresponds to the certificate. You say that if
it does, export it. Didn't I just do that? Or should I do it again?

Thanks alot for your help.
-- Steve

"Brian Komar (MVP)" wrote:

> some initial answers inline...

> > All,

> >

> > I could really use some help with this EFS/DRA stuff. One thing at a time

> > I

> > suppose.

> >

> > I have successfully published a DRA via Group Policy (Win2k3/AD). I

> > created

> > an encrypted file on an XP2 machine. When I click details of the encrypted

> > file, I can see the DRA. Associated with the user is a Cert Thumbprint.

> This is good news <G>

> >

> > I am logged onto a DC with the DRA user and when I open the Certificates

> > snap-in for mmc, the under Personal --> Certificates, the cert is there

> > (with

> > the same Thumbprint). Likewise the same cert is listed under Active

> > Directory

> > User Object --> Certificates.

> Does it state that you have the private key associated with the certificate?

> If yes, then export it now!! Do not pass go, do not wait for anything.

> This is the only copy of the certificate and private key\

> > However when I try to access the files on the

> > XP machine from the DC (file share) it says access is denied. I am trying

> > to

> > test the data recovery agent before implementing EFS on my network. Did I

> > miss a step?

> To use the key as the DRA, you must log on *locally* at the computer. You

> are connecting over the network. You are connecting over the network. You

> are creating a profile on the remote machine, generating a new EFS

> certificate, and attempting to open it with that certificate. The

> encryption/decryption is all remote.

> It is not a transfer of the encrypted file to your machine. It is a remote

> decryption and transfer of the file in the clear.

> >

> > Possibly related or unrelated, I am also havinga problem with DC issued

> > certs vs. self-signed certs. I was testing with QA and found that I needed

> > to

> > add his self-signed cert to the encrypted file so that he could view it.

> > He

> > has been autoenrolled for a efs cert (duplicate of Basic EFS) but it

> > doesn't

> > appear to be working. What did I miss here? Also, I have noticed that many

> > users have been autoenrolled for the efs cert multiple times (viewing the

> > Certification Authority --> Issued Certificates).

> There is a KB article (sorry no time to search for it now) that prevents the

> creation of self-signed certificates. In addition, you want to enable

> Credential Roamining Services or Roaming profiles to prevent the re-issuance

> of EFS certificates.

> >

> > Any and all help would be greatly appreciated.

> > -- Steve

Posted by Brian Komar \(MVP\) on July 7, 2008, 3:28 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Nope, you only have to do it once.
I just wanted to make sure you had backed it up.
Brian

> Thanks for the response.

> I exported the private key, assigned it a password and saved it. Now it

> says

> there is a private key that corresponds to the certificate. You say that

> if

> it does, export it. Didn't I just do that? Or should I do it again?

> Thanks alot for your help.

> -- Steve

> "Brian Komar (MVP)" wrote:

>> some initial answers inline...

>> > All,

>> >

>> > I could really use some help with this EFS/DRA stuff. One thing at a

>> > time

>> > I

>> > suppose.

>> >

>> > I have successfully published a DRA via Group Policy (Win2k3/AD). I

>> > created

>> > an encrypted file on an XP2 machine. When I click details of the

>> > encrypted

>> > file, I can see the DRA. Associated with the user is a Cert Thumbprint.

>> This is good news <G>

>> >

>> > I am logged onto a DC with the DRA user and when I open the

>> > Certificates

>> > snap-in for mmc, the under Personal --> Certificates, the cert is there

>> > (with

>> > the same Thumbprint). Likewise the same cert is listed under Active

>> > Directory

>> > User Object --> Certificates.

>> Does it state that you have the private key associated with the

>> certificate?

>> If yes, then export it now!! Do not pass go, do not wait for anything.

>> This is the only copy of the certificate and private key\

>> > However when I try to access the files on the

>> > XP machine from the DC (file share) it says access is denied. I am

>> > trying

>> > to

>> > test the data recovery agent before implementing EFS on my network. Did

>> > I

>> > miss a step?

>> To use the key as the DRA, you must log on *locally* at the computer. You

>> are connecting over the network. You are connecting over the network. You

>> are creating a profile on the remote machine, generating a new EFS

>> certificate, and attempting to open it with that certificate. The

>> encryption/decryption is all remote.

>> It is not a transfer of the encrypted file to your machine. It is a

>> remote

>> decryption and transfer of the file in the clear.

>> >

>> > Possibly related or unrelated, I am also havinga problem with DC

>> > issued

>> > certs vs. self-signed certs. I was testing with QA and found that I

>> > needed

>> > to

>> > add his self-signed cert to the encrypted file so that he could view

>> > it.

>> > He

>> > has been autoenrolled for a efs cert (duplicate of Basic EFS) but it

>> > doesn't

>> > appear to be working. What did I miss here? Also, I have noticed that

>> > many

>> > users have been autoenrolled for the efs cert multiple times (viewing

>> > the

>> > Certification Authority --> Issued Certificates).

>> There is a KB article (sorry no time to search for it now) that prevents

>> the

>> creation of self-signed certificates. In addition, you want to enable

>> Credential Roamining Services or Roaming profiles to prevent the

>> re-issuance

>> of EFS certificates.

>> >

>> > Any and all help would be greatly appreciated.

>> > -- Steve

Posted by =?Utf-8?B?U3RldmU=?= on July 10, 2008, 4:45 pm

If you were Registered and logged in, you could reply and use other advanced thread options

So either I'm missing something, or I completely misunderstand EFS.

I have turned off the self-signed certificates on a few XP machines (using
the hotfix from MS and the Group Policy Option to not allow a user to create
self-signed certs).

Since then, when I create an EFS file on my XP machine, it uses a cert from
my CA....Good. But when I try to add another user to the file, he is unable
to open it. (In fact since installing the hotfix and adding the GP option, he
can't even create a new file on the encrypted share). I have NOT done
anything with credential roaming yet. Is that my problem?

Bottom line, I want to encrypt a file on my machine (XP), add a user with
the ability to decrypt it, and allow them to open it on their machine. Is
this not possible?

Thanks,
-- Steve

"Brian Komar (MVP)" wrote:

> Nope, you only have to do it once.

> I just wanted to make sure you had backed it up.

> Brian

> > Thanks for the response.

> >

> > I exported the private key, assigned it a password and saved it. Now it

> > says

> > there is a private key that corresponds to the certificate. You say that

> > if

> > it does, export it. Didn't I just do that? Or should I do it again?

> >

> > Thanks alot for your help.

> > -- Steve

> >

> > "Brian Komar (MVP)" wrote:

> >

> >> some initial answers inline...

> >>

> >> > All,

> >> >

> >> > I could really use some help with this EFS/DRA stuff. One thing at a

> >> > time

> >> > I

> >> > suppose.

> >> >

> >> > I have successfully published a DRA via Group Policy (Win2k3/AD). I

> >> > created

> >> > an encrypted file on an XP2 machine. When I click details of the

> >> > encrypted

> >> > file, I can see the DRA. Associated with the user is a Cert Thumbprint.

> >> This is good news <G>

> >>

> >> >

> >> > I am logged onto a DC with the DRA user and when I open the

> >> > Certificates

> >> > snap-in for mmc, the under Personal --> Certificates, the cert is there

> >> > (with

> >> > the same Thumbprint). Likewise the same cert is listed under Active

> >> > Directory

> >> > User Object --> Certificates.

> >>

> >> Does it state that you have the private key associated with the

> >> certificate?

> >> If yes, then export it now!! Do not pass go, do not wait for anything.

> >> This is the only copy of the certificate and private key\

> >>

> >> > However when I try to access the files on the

> >> > XP machine from the DC (file share) it says access is denied. I am

> >> > trying

> >> > to

> >> > test the data recovery agent before implementing EFS on my network. Did

> >> > I

> >> > miss a step?

> >>

> >> To use the key as the DRA, you must log on *locally* at the computer. You

> >> are connecting over the network. You are connecting over the network. You

> >> are creating a profile on the remote machine, generating a new EFS

> >> certificate, and attempting to open it with that certificate. The

> >> encryption/decryption is all remote.

> >> It is not a transfer of the encrypted file to your machine. It is a

> >> remote

> >> decryption and transfer of the file in the clear.

> >>

> >> >

> >> > Possibly related or unrelated, I am also havinga problem with DC

> >> > issued

> >> > certs vs. self-signed certs. I was testing with QA and found that I

> >> > needed

> >> > to

> >> > add his self-signed cert to the encrypted file so that he could view

> >> > it.

> >> > He

> >> > has been autoenrolled for a efs cert (duplicate of Basic EFS) but it

> >> > doesn't

> >> > appear to be working. What did I miss here? Also, I have noticed that

> >> > many

> >> > users have been autoenrolled for the efs cert multiple times (viewing

> >> > the

> >> > Certification Authority --> Issued Certificates).

> >>

> >> There is a KB article (sorry no time to search for it now) that prevents

> >> the

> >> creation of self-signed certificates. In addition, you want to enable

> >> Credential Roamining Services or Roaming profiles to prevent the

> >> re-issuance

> >> of EFS certificates.

> >> >

> >> > Any and all help would be greatly appreciated.

> >> > -- Steve

> >>

The site map in XML format XML site map