Encrypting File System Sharing
I should really finish up that MCITP:EA, maybe that will cover these things. I have what should be a simple EFS scenerio.
In this example, the file, brians test.txt was encrypted by Brian, and he added Joseph's cert to the list of users who can access this file. But Joseph still can't decrypt the file.
Local Certificate Store for Joe's user account.
T:\Test>certutil -store -user My
My
================ Certificate 0 ================
Serial Number: 1##X###X############
Issuer: CN=XXX-CA, DC=caim, DC=internal
NotBefore: 5/12/2011 12:17 PM
NotAfter: 8/26/2011 3:39 PM
Subject: E=Joseph.Durnal@domain.com, CN=Joseph Durnal, OU=Users, OU=XXX, DC=XXX, DC=XXX
Certificate Template Name (Certificate Type): User
Non-root Certificate
Template: User
Cert Hash(sha1): 89 8d f3 e7 XX XX XX XX XX XX XX XX XX XX XX XX XX XX 97 65
Key Container = XXX...
Simple container name: le-User-300822a7-f974-4fbd-a7a8-c19375333850
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
T:\Test>cipher.exe /c "brians test.txt"
Listing T:\Test\
New files added to this directory will be encrypted.
E brians test.txt
Compatibility Level:
Windows XP/Server 2003
Users who can decrypt:
XXXX\bXXXXX [Brian XXXXX(bXXXXX@XXX.XXX)]
Certificate thumbprint: 86DA 4DD9 XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Joseph Durnal(jdurnal@XXX.XXX)
Certificate thumbprint: 898D F3E7 XXXX XXXX XXXX XXXX XXXX XXXX XXXX 9765
Recovery Certificates:
Admin J. Durnal(jdXXXX@XXX.XXX)
Certificate thumbprint: C56D XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Admin D. CXXX(dcXXX@XXX.XXX)
Certificate thumbprint: 2B2E XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Key information cannot be retrieved.
The specified file could not be decrypted.
What have I done wrong here? Why can't Joseph decrypt Brian's file?
Thanks,
Joe Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator In Progress: MCITP: Enterprise Administrator
June 2nd, 2011 4:06pm
I've re-created this problem exactly in my lab, and learned a little more about my configuration, which I'll share.
One key bit of information, in the above example, the T: drive is a network drive.
In my lab - it works as expected with files encrypted on the workstation C: drive, but not on the network drive. I have two users, 1test & 2test, plus the administrator which I've setup as the recovery agent. I've configured the properties
of the enc folders on the C: & X: (network) drives with the encrypted attribute. On each drive I created a text file with the username as the file name, then added the certificate of the other test user. The cipher.exe /c command was run on
the files as the user 1test with the results below, the C: drive was done first, then the X: (network) drive.
C:\enc>cipher.exe /c c:\enc\?test.txt
Listing c:\enc\
New files added to this directory will be encrypted.
E 1test.txt
Compatibility Level:
Windows XP/Server 2003
Users who can decrypt:
LAB\1test [One 1. Test(1test@lab.internal)]
Certificate thumbprint: 0C52 8492 0659 12E4 60FF 588E A62C 416C A758 5632
Two 2. Test(2test@lab.internal)
Certificate thumbprint: 9FA1 7853 E6E2 FD2E F4B7 82DD C952 E1F6 3B55 A368
Recovery Certificates:
Administrator(Administrator@lab.internal)
Certificate thumbprint: BBC0 4FD0 ACEB 62F6 B871 160C C89E CA7C 9613 8351
Key Information:
Algorithm: AES
Key Length: 256
Key Entropy: 256
E 2test.txt
Compatibility Level:
Windows XP/Server 2003
Users who can decrypt:
LAB\2test [Two 2. Test(2test@lab.internal)]
Certificate thumbprint: 9FA1 7853 E6E2 FD2E F4B7 82DD C952 E1F6 3B55 A368
One 1. Test(1test@lab.internal)
Certificate thumbprint: 0C52 8492 0659 12E4 60FF 588E A62C 416C A758 5632
Recovery Certificates:
Administrator(Administrator@lab.internal)
Certificate thumbprint: BBC0 4FD0 ACEB 62F6 B871 160C C89E CA7C 9613 8351
Key Information:
Algorithm: AES
Key Length: 256
Key Entropy: 256
C:\enc>cipher.exe /c x:\enc\?test.txt
Listing x:\enc\
New files added to this directory will be encrypted.
E 1test.txt
Compatibility Level:
Windows XP/Server 2003
Users who can decrypt:
LAB\1test [One 1. Test(1test@lab.internal)]
Certificate thumbprint: F82D C373 7E6F 3C6B 7E4F 856D 9A3B 6150 A466 C2A7
Two 2. Test(2test@lab.internal)
Certificate thumbprint: 9FA1 7853 E6E2 FD2E F4B7 82DD C952 E1F6 3B55 A368
Recovery Certificates:
Administrator(Administrator@lab.internal)
Certificate thumbprint: BBC0 4FD0 ACEB 62F6 B871 160C C89E CA7C 9613 8351
Key Information:
Algorithm: AES
Key Length: 256
Key Entropy: 256
E 2test.txt
Compatibility Level:
Windows XP/Server 2003
Users who can decrypt:
LAB\2test [Two 2. Test(2test@lab.internal)]
Certificate thumbprint: 3561 BF8E 8A49 C0F1 7CFB A5E4 8C70 EA60 5E14 A19C
One 1. Test(1test@lab.internal)
Certificate thumbprint: 0C52 8492 0659 12E4 60FF 588E A62C 416C A758 5632
Recovery Certificates:
Administrator(Administrator@lab.internal)
Certificate thumbprint: BBC0 4FD0 ACEB 62F6 B871 160C C89E CA7C 9613 8351
Key information cannot be retrieved.
The specified file could not be decrypted.
Is this even supported on a network drive? I'm not sure how useful the feature would be if it wasn't, but I haven't found any documentation either way.
Thanks,
Joe Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator In Progress: MCITP: Enterprise Administrator
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2011 5:40pm
It is amazing what a second set of eyes can do for you, Brian G. has helped out a good bit.
Information learned from the following links really helped out
http://www.winserverkb.com/Uwe/Forum.aspx/windows-server-sbs/73116/EFS-File-Share-Help
http://technet.microsoft.com/en-us/library/bb457116.aspx
I was able to access the files remotely if I exported the cert with private key for the users, then logged into the server with the users account, and imported the cert with private key for the respective user.
This is great for a lab environment, but obviously, it wouldn't work in the real world.
The "solution" is to use roaming profiles. Once the certificate store is established in the roaming profile, everything just seems to work.
I put solution in quotes because it really isn't a solution for my customer because they don't use roaming profiles.
I guess this question now turns to, what is the practical way to implement shared encrypted files on a server without the need to use roaming profiles.
Thanks,
Joe Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator In Progress: MCITP: Enterprise Administrator
June 5th, 2011 9:41pm
On Mon, 6 Jun 2011 01:34:24 +0000, Joseph M Durnal wrote:
I guess this question now turns to, what is the practical way to implement shared encrypted files on a server without the need to use roaming profiles.
You might want to have a look at Credential Roaming.
http://technet.microsoft.com/en-us/library/cc512692.aspx
Failing that, your only other real option is to look at using WebDav for
the servers that need to have EFS files stored on them.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Last one out, turn off the computer!
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2011 5:21am
Paul,
Thanks for the link, looks promising but I've yet to find success. Not sure how I'd even know if I've made credential roaming work :) Given the time invested, I think I'm going to have to go with manually adding profiles and certs to the certificate
store on the server via RDP. I do hope I have time to re-visit this as the concept of Credential Roaming seems like it is exactly what I need.
JoeJoseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator In Progress: MCITP: Enterprise Administrator
June 6th, 2011 10:45pm