EFS certificate location on win2k8 r2 domain controller/file server
Hi, I have the following -win2k8 r2 standard domain controller/file server (no certification authority on this server or anywhere else. only have 1 server) -win7pro x64 laptop in workgroup mode (not joined to the domain) The laptop has a local EFS certificate to encrypt files on the laptop locally. When I access the file server from the laptop (laptop1) and login to the file server, I put in the domain AD user account testuser1. When I encrypt the files, it does not use my local EFS certificate, but it seems like testuser1 generates a certificate to AD via SMB protocol and the certificate gets stored in AD automatically. I don't see the testuser1 EFS certificate installed in mmc -> certificates on my laptop. I don't have any certificates for testuser1 on my laptop. For testuser1 EFS certificate, when I use laptop1 to access the encrypted files on the file server, is testuser1 getting the certificate in AD via SMB protocol because I dont have any EFS certificates on laptop1 for testuser1? I also did a test on a brand new laptop (laptop2) in workgroup mode (not joined to the AD domain), and when I access the file server using the AD account testuser1, I can access the encrypted files encrypted by testuser1. I didn't have to install any EFS certificate for testuser1. As long as I access the file server using the AD username with files encrypted by that user, I can access the files no problem. So where is testuser1 EFS certificate getting stored in AD? I cant find it. Is laptop2 getting the testuser1 EFS certificate info via SMB/CIFS protocol over file sharing? When I use laptop1 or laptop2 to access the file server via AD user account administrator, I cannot access the encrypted files by testuser1. It seems like testuser1 EFS certificate is stored in AD but I dont have certificate authority setup anywhere. Where do I see the EFS certificate for testuser1 in AD? Thanks
May 4th, 2012 12:54pm

To sum it up. I can use a new laptop that's not part of the domain (no efs certificates) and access the file server by using an AD user account testuser1 and I can access the encrypted files encrypted by user testuser1 only. How is this possible? How am I getting the efs certificate to access the encrypted files by testuser1?
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2012 2:07pm

When you connect to an EFS file stored on the server, the EFS certificate is stored in the profile of the user *on the server*. No certificate is issued, stored, or utilized on the local client in the scenario you describe. The is why the server must be trusted for delegation. Brian
May 5th, 2012 8:02am

When you connect to an EFS file stored on the server, the EFS certificate is stored in the profile of the user *on the server*. No certificate is issued, stored, or utilized on the local client in the scenario you describe. The is why the server must be trusted for delegation. Brian
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2012 8:02am

Deleting the profile on the server for c:\users\testuser1 deleted the efs certificate for testuser1. I had to restart the server for the efs certificate not to work for testuser1. Without the server restart, efs certificate still worked. I just created a local efs certificate for my laptop and encrypted a text file on my laptop. I moved the text file from my laptop to the server and it got re-encrypted with 'testuser1' efs certificate. How do I encrypt the file that I want to put on the server with my laptop efs certificate? Thanks
May 7th, 2012 12:56am

I think I see where you're trying to go, but I need some clarification. Once you put the file on the server, you can give other people access to the file by approving their keys for access. This is done from the properties menu of the file, then select the advanced button by attributes. The "Encrypt Contents ..." checkbox should be checked. Click on details, and you will see a list of each user whose private keys can decrypt the file. Click on Add to add another user's private key to the list. However, for their key to be generated, you either need a CA set up on the server, or have the user encrypt something on the server for their key to show up. Only the creator of an encrypted file can add people at first, then anyone whose key has been added in this fashion can add someone else. Was this the direction you're trying to go? The Sherpa
Free Windows Admin Tool Kit Click here and download it now
July 16th, 2012 4:06pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics