EFS/DRA

[Steve]

All,

I could really use some help with this EFS/DRA stuff. One thing at a time I
suppose.

I have successfully published a DRA via Group Policy (Win2k3/AD). I created
an encrypted file on an XP2 machine. When I click details of the encrypted
file, I can see the DRA. Associated with the user is a Cert Thumbprint.

I am logged onto a DC with the DRA user and when I open the Certificates
snap-in for mmc, the under Personal --> Certificates, the cert is there (with
the same Thumbprint). Likewise the same cert is listed under Active Directory
User Object --> Certificates. However when I try to access the files on the
XP machine from the DC (file share) it says access is denied. I am trying to
test the data recovery agent before implementing EFS on my network. Did I
miss a step?

Possibly related or unrelated, I am also havinga problem with DC issued
certs vs. self-signed certs. I was testing with QA and found that I needed to
add his self-signed cert to the encrypted file so that he could view it. He
has been autoenrolled for a efs cert (duplicate of Basic EFS) but it doesn't
appear to be working. What did I miss here? Also, I have noticed that many
users have been autoenrolled for the efs cert multiple times (viewing the
Certification Authority --> Issued Certificates).

Any and all help would be greatly appreciated.
-- Steve

 

[Brian Komar \(MVP\)]

some initial answers inline...

"Steve" <Steve@discussions.microsoft.com> wrote in message
news:AA251001-9431-43DF-95F9-8E681FBB99FB@microsoft.com...
> All,
>
> I could really use some help with this EFS/DRA stuff. One thing at a time
> I
> suppose.
>
> I have successfully published a DRA via Group Policy (Win2k3/AD). I
> created
> an encrypted file on an XP2 machine. When I click details of the encrypted
> file, I can see the DRA. Associated with the user is a Cert Thumbprint.
This is good news <G>

>
> I am logged onto a DC with the DRA user and when I open the Certificates
> snap-in for mmc, the under Personal --> Certificates, the cert is there
> (with
> the same Thumbprint). Likewise the same cert is listed under Active
> Directory
> User Object --> Certificates.

Does it state that you have the private key associated with the certificate?
If yes, then export it now!! Do not pass go, do not wait for anything.
This is the only copy of the certificate and private key\


> However when I try to access the files on the
> XP machine from the DC (file share) it says access is denied. I am trying
> to
> test the data recovery agent before implementing EFS on my network. Did I
> miss a step?

To use the key as the DRA, you must log on *locally* at the computer. You
are connecting over the network. You are connecting over the network. You
are creating a profile on the remote machine, generating a new EFS
certificate, and attempting to open it with that certificate. The
encryption/decryption is all remote.
It is not a transfer of the encrypted file to your machine. It is a remote
decryption and transfer of the file in the clear.


>
> Possibly related or unrelated, I am also havinga problem with DC issued
> certs vs. self-signed certs. I was testing with QA and found that I needed
> to
> add his self-signed cert to the encrypted file so that he could view it.
> He
> has been autoenrolled for a efs cert (duplicate of Basic EFS) but it
> doesn't
> appear to be working. What did I miss here? Also, I have noticed that many
> users have been autoenrolled for the efs cert multiple times (viewing the
> Certification Authority --> Issued Certificates).


There is a KB article (sorry no time to search for it now) that prevents the
creation of self-signed certificates. In addition, you want to enable
Credential Roamining Services or Roaming profiles to prevent the re-issuance
of EFS certificates.
>
> Any and all help would be greatly appreciated.
> -- Steve

 

[Steve]

Thanks for the response.

I exported the private key, assigned it a password and saved it. Now it says
there is a private key that corresponds to the certificate. You say that if
it does, export it. Didn't I just do that? Or should I do it again?

Thanks alot for your help.
-- Steve

"Brian Komar (MVP)" wrote:

> some initial answers inline...
>
> "Steve" <Steve@discussions.microsoft.com> wrote in message
> news:AA251001-9431-43DF-95F9-8E681FBB99FB@microsoft.com...
> > All,
> >
> > I could really use some help with this EFS/DRA stuff. One thing at a time
> > I
> > suppose.
> >
> > I have successfully published a DRA via Group Policy (Win2k3/AD). I
> > created
> > an encrypted file on an XP2 machine. When I click details of the encrypted
> > file, I can see the DRA. Associated with the user is a Cert Thumbprint.
> This is good news <G>
>
> >
> > I am logged onto a DC with the DRA user and when I open the Certificates
> > snap-in for mmc, the under Personal --> Certificates, the cert is there
> > (with
> > the same Thumbprint). Likewise the same cert is listed under Active
> > Directory
> > User Object --> Certificates.
>
> Does it state that you have the private key associated with the certificate?
> If yes, then export it now!! Do not pass go, do not wait for anything.
> This is the only copy of the certificate and private key\
>
>
> > However when I try to access the files on the
> > XP machine from the DC (file share) it says access is denied. I am trying
> > to
> > test the data recovery agent before implementing EFS on my network. Did I
> > miss a step?
>
> To use the key as the DRA, you must log on *locally* at the computer. You
> are connecting over the network. You are connecting over the network. You
> are creating a profile on the remote machine, generating a new EFS
> certificate, and attempting to open it with that certificate. The
> encryption/decryption is all remote.
> It is not a transfer of the encrypted file to your machine. It is a remote
> decryption and transfer of the file in the clear.
>
>
> >
> > Possibly related or unrelated, I am also havinga problem with DC issued
> > certs vs. self-signed certs. I was testing with QA and found that I needed
> > to
> > add his self-signed cert to the encrypted file so that he could view it.
> > He
> > has been autoenrolled for a efs cert (duplicate of Basic EFS) but it
> > doesn't
> > appear to be working. What did I miss here? Also, I have noticed that many
> > users have been autoenrolled for the efs cert multiple times (viewing the
> > Certification Authority --> Issued Certificates).
>
>
> There is a KB article (sorry no time to search for it now) that prevents the
> creation of self-signed certificates. In addition, you want to enable
> Credential Roamining Services or Roaming profiles to prevent the re-issuance
> of EFS certificates.
> >
> > Any and all help would be greatly appreciated.
> > -- Steve
>

 

[Brian Komar \(MVP\)]

Nope, you only have to do it once.
I just wanted to make sure you had backed it up.
Brian

"Steve" <Steve@discussions.microsoft.com> wrote in message
news:AC9BBFC3-1789-4335-BF9C-D731618EC594@microsoft.com...
> Thanks for the response.
>
> I exported the private key, assigned it a password and saved it. Now it
> says
> there is a private key that corresponds to the certificate. You say that
> if
> it does, export it. Didn't I just do that? Or should I do it again?
>
> Thanks alot for your help.
> -- Steve
>
> "Brian Komar (MVP)" wrote:
>
>> some initial answers inline...
>>
>> "Steve" <Steve@discussions.microsoft.com> wrote in message
>> news:AA251001-9431-43DF-95F9-8E681FBB99FB@microsoft.com...
>> > All,
>> >
>> > I could really use some help with this EFS/DRA stuff. One thing at a
>> > time
>> > I
>> > suppose.
>> >
>> > I have successfully published a DRA via Group Policy (Win2k3/AD). I
>> > created
>> > an encrypted file on an XP2 machine. When I click details of the
>> > encrypted
>> > file, I can see the DRA. Associated with the user is a Cert Thumbprint.
>> This is good news <G>
>>
>> >
>> > I am logged onto a DC with the DRA user and when I open the
>> > Certificates
>> > snap-in for mmc, the under Personal --> Certificates, the cert is there
>> > (with
>> > the same Thumbprint). Likewise the same cert is listed under Active
>> > Directory
>> > User Object --> Certificates.
>>
>> Does it state that you have the private key associated with the
>> certificate?
>> If yes, then export it now!! Do not pass go, do not wait for anything.
>> This is the only copy of the certificate and private key\
>>
>>
>> > However when I try to access the files on the
>> > XP machine from the DC (file share) it says access is denied. I am
>> > trying
>> > to
>> > test the data recovery agent before implementing EFS on my network. Did
>> > I
>> > miss a step?
>>
>> To use the key as the DRA, you must log on *locally* at the computer. You
>> are connecting over the network. You are connecting over the network. You
>> are creating a profile on the remote machine, generating a new EFS
>> certificate, and attempting to open it with that certificate. The
>> encryption/decryption is all remote.
>> It is not a transfer of the encrypted file to your machine. It is a
>> remote
>> decryption and transfer of the file in the clear.
>>
>>
>> >
>> > Possibly related or unrelated, I am also havinga problem with DC
>> > issued
>> > certs vs. self-signed certs. I was testing with QA and found that I
>> > needed
>> > to
>> > add his self-signed cert to the encrypted file so that he could view
>> > it.
>> > He
>> > has been autoenrolled for a efs cert (duplicate of Basic EFS) but it
>> > doesn't
>> > appear to be working. What did I miss here? Also, I have noticed that
>> > many
>> > users have been autoenrolled for the efs cert multiple times (viewing
>> > the
>> > Certification Authority --> Issued Certificates).
>>
>>
>> There is a KB article (sorry no time to search for it now) that prevents
>> the
>> creation of self-signed certificates. In addition, you want to enable
>> Credential Roamining Services or Roaming profiles to prevent the
>> re-issuance
>> of EFS certificates.
>> >
>> > Any and all help would be greatly appreciated.
>> > -- Steve
>>

 

[Steve]

So either I'm missing something, or I completely misunderstand EFS.

I have turned off the self-signed certificates on a few XP machines (using
the hotfix from MS and the Group Policy Option to not allow a user to create
self-signed certs).

Since then, when I create an EFS file on my XP machine, it uses a cert from
my CA....Good. But when I try to add another user to the file, he is unable
to open it. (In fact since installing the hotfix and adding the GP option, he
can't even create a new file on the encrypted share). I have NOT done
anything with credential roaming yet. Is that my problem?

Bottom line, I want to encrypt a file on my machine (XP), add a user with
the ability to decrypt it, and allow them to open it on their machine. Is
this not possible?

Thanks,
-- Steve

"Brian Komar (MVP)" wrote:

> Nope, you only have to do it once.
> I just wanted to make sure you had backed it up.
> Brian
>
> "Steve" <Steve@discussions.microsoft.com> wrote in message
> news:AC9BBFC3-1789-4335-BF9C-D731618EC594@microsoft.com...
> > Thanks for the response.
> >
> > I exported the private key, assigned it a password and saved it. Now it
> > says
> > there is a private key that corresponds to the certificate. You say that
> > if
> > it does, export it. Didn't I just do that? Or should I do it again?
> >
> > Thanks alot for your help.
> > -- Steve
> >
> > "Brian Komar (MVP)" wrote:
> >
> >> some initial answers inline...
> >>
> >> "Steve" <Steve@discussions.microsoft.com> wrote in message
> >> news:AA251001-9431-43DF-95F9-8E681FBB99FB@microsoft.com...
> >> > All,
> >> >
> >> > I could really use some help with this EFS/DRA stuff. One thing at a
> >> > time
> >> > I
> >> > suppose.
> >> >
> >> > I have successfully published a DRA via Group Policy (Win2k3/AD). I
> >> > created
> >> > an encrypted file on an XP2 machine. When I click details of the
> >> > encrypted
> >> > file, I can see the DRA. Associated with the user is a Cert Thumbprint.
> >> This is good news <G>
> >>
> >> >
> >> > I am logged onto a DC with the DRA user and when I open the
> >> > Certificates
> >> > snap-in for mmc, the under Personal --> Certificates, the cert is there
> >> > (with
> >> > the same Thumbprint). Likewise the same cert is listed under Active
> >> > Directory
> >> > User Object --> Certificates.
> >>
> >> Does it state that you have the private key associated with the
> >> certificate?
> >> If yes, then export it now!! Do not pass go, do not wait for anything.
> >> This is the only copy of the certificate and private key\
> >>
> >>
> >> > However when I try to access the files on the
> >> > XP machine from the DC (file share) it says access is denied. I am
> >> > trying
> >> > to
> >> > test the data recovery agent before implementing EFS on my network. Did
> >> > I
> >> > miss a step?
> >>
> >> To use the key as the DRA, you must log on *locally* at the computer. You
> >> are connecting over the network. You are connecting over the network. You
> >> are creating a profile on the remote machine, generating a new EFS
> >> certificate, and attempting to open it with that certificate. The
> >> encryption/decryption is all remote.
> >> It is not a transfer of the encrypted file to your machine. It is a
> >> remote
> >> decryption and transfer of the file in the clear.
> >>
> >>
> >> >
> >> > Possibly related or unrelated, I am also havinga problem with DC
> >> > issued
> >> > certs vs. self-signed certs. I was testing with QA and found that I
> >> > needed
> >> > to
> >> > add his self-signed cert to the encrypted file so that he could view
> >> > it.
> >> > He
> >> > has been autoenrolled for a efs cert (duplicate of Basic EFS) but it
> >> > doesn't
> >> > appear to be working. What did I miss here? Also, I have noticed that
> >> > many
> >> > users have been autoenrolled for the efs cert multiple times (viewing
> >> > the
> >> > Certification Authority --> Issued Certificates).
> >>
> >>
> >> There is a KB article (sorry no time to search for it now) that prevents
> >> the
> >> creation of self-signed certificates. In addition, you want to enable
> >> Credential Roamining Services or Roaming profiles to prevent the
> >> re-issuance
> >> of EFS certificates.
> >> >
> >> > Any and all help would be greatly appreciated.
> >> > -- Steve
> >>
>

 

[Alun Jones]

"Steve" <Steve@discussions.microsoft.com> wrote in message
news:B25710B1-0727-4067-AB9F-2EDCD098DD62@microsoft.com...
> So either I'm missing something, or I completely misunderstand EFS.
>
> I have turned off the self-signed certificates on a few XP machines (using
> the hotfix from MS and the Group Policy Option to not allow a user to
> create
> self-signed certs).
>
> Since then, when I create an EFS file on my XP machine, it uses a cert
> from
> my CA....Good. But when I try to add another user to the file, he is
> unable
> to open it. (In fact since installing the hotfix and adding the GP option,
> he
> can't even create a new file on the encrypted share). I have NOT done
> anything with credential roaming yet. Is that my problem?
>
> Bottom line, I want to encrypt a file on my machine (XP), add a user with
> the ability to decrypt it, and allow them to open it on their machine. Is
> this not possible?

It depends.

To make things easier, let's say that the file is stored on a "server", and
needs to be fetched by a user on a "client".

The user's private key must be stored in his personal store on the server.
If his key exists only on the client, he must export the certificate and key
from the client, and import it onto the server. Because the key must be in
his personal store, only the user can do this for himself.

Crazy though it may sound, EFS across a network share decrypts at the
server, rather than at the client - the file is transferred across the
network in plain text.

An alternative to having to export and import your private key on each
server is to use a roaming profile, or credential roaming. Note that these
two options are mutually exclusive per user.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

 

[Steve]

I appreciate the assistance.

I have read about Roaming Profiles and Credential Roaming but I am still
confused as to which one I should implement. Can you offer any advice?

Thanks,
-- Steve

"Alun Jones" wrote:

> "Steve" <Steve@discussions.microsoft.com> wrote in message
> news:B25710B1-0727-4067-AB9F-2EDCD098DD62@microsoft.com...
> > So either I'm missing something, or I completely misunderstand EFS.
> >
> > I have turned off the self-signed certificates on a few XP machines (using
> > the hotfix from MS and the Group Policy Option to not allow a user to
> > create
> > self-signed certs).
> >
> > Since then, when I create an EFS file on my XP machine, it uses a cert
> > from
> > my CA....Good. But when I try to add another user to the file, he is
> > unable
> > to open it. (In fact since installing the hotfix and adding the GP option,
> > he
> > can't even create a new file on the encrypted share). I have NOT done
> > anything with credential roaming yet. Is that my problem?
> >
> > Bottom line, I want to encrypt a file on my machine (XP), add a user with
> > the ability to decrypt it, and allow them to open it on their machine. Is
> > this not possible?
>
> It depends.
>
> To make things easier, let's say that the file is stored on a "server", and
> needs to be fetched by a user on a "client".
>
> The user's private key must be stored in his personal store on the server.
> If his key exists only on the client, he must export the certificate and key
> from the client, and import it onto the server. Because the key must be in
> his personal store, only the user can do this for himself.
>
> Crazy though it may sound, EFS across a network share decrypts at the
> server, rather than at the client - the file is transferred across the
> network in plain text.
>
> An alternative to having to export and import your private key on each
> server is to use a roaming profile, or credential roaming. Note that these
> two options are mutually exclusive per user.
>
> Alun.
> ~~~~
> --
> Texas Imperial Software | Web: http://www.wftpd.com/
> 23921 57th Ave SE | Blog: http://msmvps.com/alunj/
> Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
> Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
>
>

 

[Brian Komar \(MVP\)]

If all you want to roam is credential information, then Credential Roaming
is definitely the way to go.
If you want to roam files as well (profile, desktop, My Documents), then you
would be better to go with Roaming Profiles.
Both can be used, but as referenced in the Deploying CRS whitepaper, you
need to set up exceptions to prevent the roaming of the credential
information in roaming profiles.
If you do not have roaming profiles, and you want to roam EFS credentials, I
would lean towards CRS, rather than roaming profiles.
Brian

"Steve" <Steve@discussions.microsoft.com> wrote in message
news:E15464CC-7DD4-4C68-BB87-75D6A098B9D5@microsoft.com...
>I appreciate the assistance.
>
> I have read about Roaming Profiles and Credential Roaming but I am still
> confused as to which one I should implement. Can you offer any advice?
>
> Thanks,
> -- Steve
>
> "Alun Jones" wrote:
>
>> "Steve" <Steve@discussions.microsoft.com> wrote in message
>> news:B25710B1-0727-4067-AB9F-2EDCD098DD62@microsoft.com...
>> > So either I'm missing something, or I completely misunderstand EFS.
>> >
>> > I have turned off the self-signed certificates on a few XP machines
>> > (using
>> > the hotfix from MS and the Group Policy Option to not allow a user to
>> > create
>> > self-signed certs).
>> >
>> > Since then, when I create an EFS file on my XP machine, it uses a cert
>> > from
>> > my CA....Good. But when I try to add another user to the file, he is
>> > unable
>> > to open it. (In fact since installing the hotfix and adding the GP
>> > option,
>> > he
>> > can't even create a new file on the encrypted share). I have NOT done
>> > anything with credential roaming yet. Is that my problem?
>> >
>> > Bottom line, I want to encrypt a file on my machine (XP), add a user
>> > with
>> > the ability to decrypt it, and allow them to open it on their machine.
>> > Is
>> > this not possible?
>>
>> It depends.
>>
>> To make things easier, let's say that the file is stored on a "server",
>> and
>> needs to be fetched by a user on a "client".
>>
>> The user's private key must be stored in his personal store on the
>> server.
>> If his key exists only on the client, he must export the certificate and
>> key
>> from the client, and import it onto the server. Because the key must be
>> in
>> his personal store, only the user can do this for himself.
>>
>> Crazy though it may sound, EFS across a network share decrypts at the
>> server, rather than at the client - the file is transferred across the
>> network in plain text.
>>
>> An alternative to having to export and import your private key on each
>> server is to use a roaming profile, or credential roaming. Note that
>> these
>> two options are mutually exclusive per user.
>>
>> Alun.
>> ~~~~
>> --
>> Texas Imperial Software | Web: http://www.wftpd.com/
>> 23921 57th Ave SE | Blog: http://msmvps.com/alunj/
>> Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
>> Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
>>
>>

 

[Steve]

The onoing battle continues...

In AD U/C I am able to see certificates in the "Published Certificates" Tab.
However when I add this certificate to an EFS File on a 2K3 Server, I receive
"Access is Denied". If I add a self-signed certificate, (which I have
disabled according to the MS KB Article) I am able to view the file.

Where am I going wrong?

Thanks,
-- Steve

"Brian Komar (MVP)" wrote:

> If all you want to roam is credential information, then Credential Roaming
> is definitely the way to go.
> If you want to roam files as well (profile, desktop, My Documents), then you
> would be better to go with Roaming Profiles.
> Both can be used, but as referenced in the Deploying CRS whitepaper, you
> need to set up exceptions to prevent the roaming of the credential
> information in roaming profiles.
> If you do not have roaming profiles, and you want to roam EFS credentials, I
> would lean towards CRS, rather than roaming profiles.
> Brian
>
> "Steve" <Steve@discussions.microsoft.com> wrote in message
> news:E15464CC-7DD4-4C68-BB87-75D6A098B9D5@microsoft.com...
> >I appreciate the assistance.
> >
> > I have read about Roaming Profiles and Credential Roaming but I am still
> > confused as to which one I should implement. Can you offer any advice?
> >
> > Thanks,
> > -- Steve
> >
> > "Alun Jones" wrote:
> >
> >> "Steve" <Steve@discussions.microsoft.com> wrote in message
> >> news:B25710B1-0727-4067-AB9F-2EDCD098DD62@microsoft.com...
> >> > So either I'm missing something, or I completely misunderstand EFS.
> >> >
> >> > I have turned off the self-signed certificates on a few XP machines
> >> > (using
> >> > the hotfix from MS and the Group Policy Option to not allow a user to
> >> > create
> >> > self-signed certs).
> >> >
> >> > Since then, when I create an EFS file on my XP machine, it uses a cert
> >> > from
> >> > my CA....Good. But when I try to add another user to the file, he is
> >> > unable
> >> > to open it. (In fact since installing the hotfix and adding the GP
> >> > option,
> >> > he
> >> > can't even create a new file on the encrypted share). I have NOT done
> >> > anything with credential roaming yet. Is that my problem?
> >> >
> >> > Bottom line, I want to encrypt a file on my machine (XP), add a user
> >> > with
> >> > the ability to decrypt it, and allow them to open it on their machine.
> >> > Is
> >> > this not possible?
> >>
> >> It depends.
> >>
> >> To make things easier, let's say that the file is stored on a "server",
> >> and
> >> needs to be fetched by a user on a "client".
> >>
> >> The user's private key must be stored in his personal store on the
> >> server.
> >> If his key exists only on the client, he must export the certificate and
> >> key
> >> from the client, and import it onto the server. Because the key must be
> >> in
> >> his personal store, only the user can do this for himself.
> >>
> >> Crazy though it may sound, EFS across a network share decrypts at the
> >> server, rather than at the client - the file is transferred across the
> >> network in plain text.
> >>
> >> An alternative to having to export and import your private key on each
> >> server is to use a roaming profile, or credential roaming. Note that
> >> these
> >> two options are mutually exclusive per user.
> >>
> >> Alun.
> >> ~~~~
> >> --
> >> Texas Imperial Software | Web: http://www.wftpd.com/
> >> 23921 57th Ave SE | Blog: http://msmvps.com/alunj/
> >> Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
> >> Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
> >>
> >>
>