Encrypting File System Sharing
I should really finish up that MCITP:EA, maybe that will cover these things. I have what should be a simple EFS scenerio. In this example, the file, brians test.txt was encrypted by Brian, and he added Joseph's cert to the list of users who can access this file. But Joseph still can't decrypt the file. Local Certificate Store for Joe's user account. T:\Test>certutil -store -user My My ================ Certificate 0 ================ Serial Number: 1##X###X############ Issuer: CN=XXX-CA, DC=caim, DC=internal NotBefore: 5/12/2011 12:17 PM NotAfter: 8/26/2011 3:39 PM Subject: E=Joseph.Durnal@domain.com, CN=Joseph Durnal, OU=Users, OU=XXX, DC=XXX, DC=XXX Certificate Template Name (Certificate Type): User Non-root Certificate Template: User Cert Hash(sha1): 89 8d f3 e7 XX XX XX XX XX XX XX XX XX XX XX XX XX XX 97 65 Key Container = XXX... Simple container name: le-User-300822a7-f974-4fbd-a7a8-c19375333850 Provider = Microsoft Enhanced Cryptographic Provider v1.0 Encryption test passed T:\Test>cipher.exe /c "brians test.txt" Listing T:\Test\ New files added to this directory will be encrypted. E brians test.txt Compatibility Level: Windows XP/Server 2003 Users who can decrypt: XXXX\bXXXXX [Brian XXXXX(bXXXXX@XXX.XXX)] Certificate thumbprint: 86DA 4DD9 XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX Joseph Durnal(jdurnal@XXX.XXX) Certificate thumbprint: 898D F3E7 XXXX XXXX XXXX XXXX XXXX XXXX XXXX 9765 Recovery Certificates: Admin J. Durnal(jdXXXX@XXX.XXX) Certificate thumbprint: C56D XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX Admin D. CXXX(dcXXX@XXX.XXX) Certificate thumbprint: 2B2E XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX Key information cannot be retrieved. The specified file could not be decrypted. What have I done wrong here? Why can't Joseph decrypt Brian's file? Thanks, Joe Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator In Progress: MCITP: Enterprise Administrator
June 2nd, 2011 4:06pm

I've re-created this problem exactly in my lab, and learned a little more about my configuration, which I'll share. One key bit of information, in the above example, the T: drive is a network drive. In my lab - it works as expected with files encrypted on the workstation C: drive, but not on the network drive. I have two users, 1test & 2test, plus the administrator which I've setup as the recovery agent. I've configured the properties of the enc folders on the C: & X: (network) drives with the encrypted attribute. On each drive I created a text file with the username as the file name, then added the certificate of the other test user. The cipher.exe /c command was run on the files as the user 1test with the results below, the C: drive was done first, then the X: (network) drive. C:\enc>cipher.exe /c c:\enc\?test.txt Listing c:\enc\ New files added to this directory will be encrypted. E 1test.txt Compatibility Level: Windows XP/Server 2003 Users who can decrypt: LAB\1test [One 1. Test(1test@lab.internal)] Certificate thumbprint: 0C52 8492 0659 12E4 60FF 588E A62C 416C A758 5632 Two 2. Test(2test@lab.internal) Certificate thumbprint: 9FA1 7853 E6E2 FD2E F4B7 82DD C952 E1F6 3B55 A368 Recovery Certificates: Administrator(Administrator@lab.internal) Certificate thumbprint: BBC0 4FD0 ACEB 62F6 B871 160C C89E CA7C 9613 8351 Key Information: Algorithm: AES Key Length: 256 Key Entropy: 256 E 2test.txt Compatibility Level: Windows XP/Server 2003 Users who can decrypt: LAB\2test [Two 2. Test(2test@lab.internal)] Certificate thumbprint: 9FA1 7853 E6E2 FD2E F4B7 82DD C952 E1F6 3B55 A368 One 1. Test(1test@lab.internal) Certificate thumbprint: 0C52 8492 0659 12E4 60FF 588E A62C 416C A758 5632 Recovery Certificates: Administrator(Administrator@lab.internal) Certificate thumbprint: BBC0 4FD0 ACEB 62F6 B871 160C C89E CA7C 9613 8351 Key Information: Algorithm: AES Key Length: 256 Key Entropy: 256 C:\enc>cipher.exe /c x:\enc\?test.txt Listing x:\enc\ New files added to this directory will be encrypted. E 1test.txt Compatibility Level: Windows XP/Server 2003 Users who can decrypt: LAB\1test [One 1. Test(1test@lab.internal)] Certificate thumbprint: F82D C373 7E6F 3C6B 7E4F 856D 9A3B 6150 A466 C2A7 Two 2. Test(2test@lab.internal) Certificate thumbprint: 9FA1 7853 E6E2 FD2E F4B7 82DD C952 E1F6 3B55 A368 Recovery Certificates: Administrator(Administrator@lab.internal) Certificate thumbprint: BBC0 4FD0 ACEB 62F6 B871 160C C89E CA7C 9613 8351 Key Information: Algorithm: AES Key Length: 256 Key Entropy: 256 E 2test.txt Compatibility Level: Windows XP/Server 2003 Users who can decrypt: LAB\2test [Two 2. Test(2test@lab.internal)] Certificate thumbprint: 3561 BF8E 8A49 C0F1 7CFB A5E4 8C70 EA60 5E14 A19C One 1. Test(1test@lab.internal) Certificate thumbprint: 0C52 8492 0659 12E4 60FF 588E A62C 416C A758 5632 Recovery Certificates: Administrator(Administrator@lab.internal) Certificate thumbprint: BBC0 4FD0 ACEB 62F6 B871 160C C89E CA7C 9613 8351 Key information cannot be retrieved. The specified file could not be decrypted. Is this even supported on a network drive? I'm not sure how useful the feature would be if it wasn't, but I haven't found any documentation either way. Thanks, Joe Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator In Progress: MCITP: Enterprise Administrator
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2011 5:40pm

It is amazing what a second set of eyes can do for you, Brian G. has helped out a good bit. Information learned from the following links really helped out http://www.winserverkb.com/Uwe/Forum.aspx/windows-server-sbs/73116/EFS-File-Share-Help http://technet.microsoft.com/en-us/library/bb457116.aspx I was able to access the files remotely if I exported the cert with private key for the users, then logged into the server with the users account, and imported the cert with private key for the respective user. This is great for a lab environment, but obviously, it wouldn't work in the real world. The "solution" is to use roaming profiles. Once the certificate store is established in the roaming profile, everything just seems to work. I put solution in quotes because it really isn't a solution for my customer because they don't use roaming profiles. I guess this question now turns to, what is the practical way to implement shared encrypted files on a server without the need to use roaming profiles. Thanks, Joe Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator In Progress: MCITP: Enterprise Administrator
June 5th, 2011 9:41pm

On Mon, 6 Jun 2011 01:34:24 +0000, Joseph M Durnal wrote: I guess this question now turns to, what is the practical way to implement shared encrypted files on a server without the need to use roaming profiles. You might want to have a look at Credential Roaming. http://technet.microsoft.com/en-us/library/cc512692.aspx Failing that, your only other real option is to look at using WebDav for the servers that need to have EFS files stored on them. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Last one out, turn off the computer!
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2011 5:21am

Paul, Thanks for the link, looks promising but I've yet to find success. Not sure how I'd even know if I've made credential roaming work :) Given the time invested, I think I'm going to have to go with manually adding profiles and certs to the certificate store on the server via RDP. I do hope I have time to re-visit this as the concept of Credential Roaming seems like it is exactly what I need. JoeJoseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator In Progress: MCITP: Enterprise Administrator
June 6th, 2011 10:45pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics