I'm having trouble being able to access files that are EFS encrypted from a shared folder on a remote file server. The file server is running 2008 R2 and the files have EFS permissions for the remote user that is trying to access them. In spite of this I continue to receive an access denied message when trying to access the file. NTFS and Share permissions are correct. I have EFS certificates configured to be given out from our internal PKI server. I also have Credential Roaming enabled and working (though I guess this only works for interactive logons). I am under the impression that with 2008 R2 I don't need to worry about roaming profiles or that the computer account object is trusted for delegation. What's interesting though is that if I log in to the server as the test user I can then access the files remotely. This leads me to believe that roaming profiles are still a requirement. Is this accurate?

Hi, Based on my understanding, if credential roaming is enabled, we don't need to use roaming profile to access EFS file in a share folder. Have you checked if the certificate and the corresponding private key have been downloaded to the computer? For more information: Credential Roaming http://technet.microsoft.com/en-us/library/cc770797.aspx Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I talked with one of our consultants via MS Premier support and it does appear that roaming profiles are still required. Unfortunately the story hasn’t changed in Win7/2008. The code for SMB2 was completed but never finished testing and was disabled. So all files are unencrypted in transport to/from a server. So this means roaming profiles are needed (or as you have found, have users log LOCALLY onto each server – ouch!) Credential Roaming also doesn’t work for EFS as the shell core isn’t configured to use Cred roaming for access to user keys. So today, the options are still the same. To do file server encryption, you need roaming profiles or users logging in to the server locally (and in the future when certs need to be renewed). To protect in transit you would need IPSEC. The same caveat exists, WEBDAV connections can keep the file encrypted in transit." This is too bad. Hopefully CRS and encrypted files while transferring are supported in the future.

Thanks for your sharing.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.