v-gzwang
Fri May 16 03:35:40 PDT 2008
Hello,
Thank you for your post.
My name is Gary Wang, and it is my pleasure to work with you on this issue!
Please allow me to confirm that my understandings are correct. As I
understand it, the issue is:
You have copied a file from workstation to remote file sharing which is
encrypted by using Self signed key. But after that the workstation cannot
decrypt the file. And your roaming profile cannot work properly.
If I have misunderstood your concerns please feel free to let me know.
Suggestion :
==============
Based on my search, this issue may due to user do not have profile on the
server. First of all, let me try to explain some details about remote
encryption using EFS. If user tries to encrypt a remote file/folder stored
on a server, the server generates a new local profile on behalf of the
user, and subsequently requests, or generates a self-signed EFS
certificate. The certificate and private key are loaded in a local profile
on the server for encryption, and decryption operations. The server obtains
access to the profile through Kerberos delegation. It is important to note
that a user will have a profile, and private keys stored on the server even
if the user has never logged on interactively to the server.
I would like to suggest that you may want to use Roaming Profiles. This
way, we ensure that user profiles contain the same EFS certificate. In
addition, you don't have to worry about multiple locations for EFS
certificates after the certificate expires.
Here is some information pertaining to your case:
Remote EFS operations on files stored on network file shares are possible
in Windows 2000 or later domain environments only. Domain users can
remotely encrypt or decrypt files, but this capability is not enabled by
default. The following are requirements for successful remote EFS
operations in a file share environment:
1. The files to be encrypted must be available to the user through a
network share. Normal share-level security applies.
2. The user must have Write or Modify permissions to encrypt or decrypt a
file.
3. The user must have either a local profile on the computer where EFS
operations will occur or a roaming profile. If the user does not have a
local profile on the remote computer or a roaming profile, EFS creates a
local profile for the user on the remote computer.
If the remote computer is a server in a cluster, the user must have a
roaming profile.
4. To encrypt a file, the user must have a valid EFS certificate. If EFS
cannot locate a pre-existing certificate, EFS contacts a trusted enterprise
certification authority for a certificate. If no trusted enterprise
certification authorities are known, a self-signed certificate is created
and used. The certificate and keys are stored in the user's profile on the
remote computer or in the user's roaming profile if available.
Note: To verify a certificate's authenticity, a certification authority
signs the certificates that it issues with its private key. EFS creates and
uses a self-signed certificate if no file encryption certificate is
available from a certification authority. A self-signed certificate
indicates that the issuer and subject in the certificate are identical, and
that no certification authority has signed the certificate.
5. To decrypt a file, the user's profile must contain the private key
associated with the public key used to encrypt the file encryption key
(FEK).
6. EFS must impersonate the user to obtain access to the necessary public
or private key. This requires the following:
a. The computer must be a domain member in a domain that uses Kerberos
authentication because impersonation relies on Kerberos authentication and
delegation.
b. The computer must be trusted for delegation.
c. The user must be logged on with a domain account that can be delegated.
Note: Use the Active Directory Users and Computers snap-in to configure
delegation options for both users and computers. To trust a computer for
delegation, open the computer's Properties sheet and select Trusted for
delegation. To allow a user account to be delegated, open the user's
Properties sheet. On the Account tab, under Account Options, clear the the
account is sensitive and cannot be delegated check box. Do not select The
account is trusted for delegation. This property is not used with EFS.
The roaming profile is a separated issue. Please understand that our
newsgroup is an issue based service, meaning we usually respond to one
question/issue per post. This will lessen the confusion for both of us, as
well as ensure that our results are accurate and not a result of a test for
a different question. Therefore, I will work with you on the first question
in this post (the file encryption issue). Regarding the additional question
(roaming profile), I suggest you create a new post for getting further
assistance, or I will work on it with you after we resolve the first issue.
If we cannot resolve the issue after we perform the above steps, please
help me collect some information for further investigation:
Information Need
==============
1. Capture screenshot for the exact symptom of what's happening when you
attempting to decrypt the shared encrypted file.
2. Check event viewer for related information, if there are any, please
help save it to *.evt and send to me at v-gzwang@microsoft.com.
Additional Information
==============
How to Share Files Using Encrypting File System
http://technet.microsoft.com/en-us/library/bb457007.aspx
Support WebCast: Exploring the nuances of remote file encryption
http://support.microsoft.com/kb/927552
Using Encrypting File System
http://technet.microsoft.com/en-us/library/bb457116.aspx
Encrypting File System in Windows XP and Windows Server 2003
http://technet.microsoft.com/en-us/library/bb457065.aspx#EHAA
Configuring Roaming User Profiles
http://technet2.microsoft.com/windowsserver/en/library/b41402c2-c982-4bfb-89
1e-91b47f211e181033.mspx?mfr=true
Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316
I look forward to your reply. Also, if you have any questions or concerns,
please do not hesitate to let me know. I am happy to help. :-)
Thank you for your time and cooperation!
Best regards,
Gary Wang(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check
http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: EFS File Share Help
| thread-index: Aci2G465QA6mSUYERty5LiJhXWLXQQ==
| X-WBNR-Posting-Host: 207.46.19.197
| From: =?Utf-8?B?VG9t?= <Tom@discussions.microsoft.com>
| Subject: EFS File Share Help
| Date: Wed, 14 May 2008 16:38:05 -0700
| Lines: 19
| Message-ID: <CD0C48BD-9A21-4B29-804D-35F4A601FBE2@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:107755
| NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Im trying to use EFS and CA to encrypt data on a remote file Share. Im
having
| problems.
|
| Encryption is working on the File Share(Server) but its using Self Signed
| Keys when using a remote machine(Workstation) and copy a file to the
Share.
|
| Also when I encrypt the file on the Share as Admin and try to share it
using
| the authorized users and select the Key for my Workstation user and
Verify
| the Fingerprints Match. The workstation cannot decrypt the file.
|
| I know the Self signed key is on the Share(Server) Because When I encrypt
| locally on the Workstation it uses the Key that was assigned by the CA.
|
| Another problem... I really cannot use roaming profiles. Long story it
just
| wont work in my situation. All im looking for is a Shared folder to be
| encrypted and accessible by multiple users. the CA was originally
intended
| for SSL but I figured this could work too.
|
| Thanks
|