Access Denied reading a shared encrypted file in Active Directory

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

WHAT STEPS ARE REQUIRED TO "SUCCESSFULLY" SHARE EFS FILES IN A DOMAIN?
I logon to Active Directory domain and encrypt a folder having files.
I ADD to the "Users who can transparently access the file" a 2nd domain
user account by specifying the 2nd user account name and clicking FIND,
followed by selecting the 2nd user's published certificate from Active
Directory. This is called file sharing!
I logon to domain as 2nd account using same or different host PC and try to
open the shared EFS file but get "access denied the file is read only or
encrypted."

WHAT ARE THE STEPS I NEED TO FOLLOW TO ENSURE ALL REQUIRED DOMAIN
CONFIGURATION (IF ANY) ARE NEEDED, EVEN IF I DO NOT WANT A RECOVERY AGENT. AT
THIS POINT IN TIME?
 
Microsoft does not recommend sharing EFS files on a network share unless the
users have roaming profiles due to the complexity of managing the user's EFS
certificates and private keys. You could probably work around not using
roaming profiles it if the user that you shared EFS with logged onto the
computer with the share that had the EFS files and that user then imported
his EFS certificate AND private key [that matches the thumbprint of what is
shown for his user account in AD] from a password protected .pfx file into
his user profile on that computer. When not using roaming profiles the user
must have a user profile that contains his EFS certificate/private key on
the computer that has the share with the EFS files. If the user does not
have a user profile on the server and encrypts a file on that server then
the server will create a mini profile for the user and request and receive
an EFS certificate/private key for the user but that certificate/private key
will be different than the one the user currently has on his workstation
causing confusion and possible access problems. The computer with the share
must also be trusted for delegation in it's computer account in Active
Directory in order to impersonate the user to request a user certificate
when needed. The link below explains more. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

File Sharing on Remote Servers
File sharing on remote servers that are trusted for delegation has some very
unique challenges regarding sharing certificates of other users. If the
users are not using roaming user profiles, then the server will be using
unique certificates for the users for the files encrypted on the server.
This condition exists despite the fact that the user may already have
enrolled for an EFS certificate and published that certificate to the Active
Directory. Effectively, the user will not know which certificate to choose
from the Active Directory when adding other users to an encrypted file.
There is no way to determine which certificate the server has used for
encryption.

This scenario is exacerbated by the fact that users choose certificates from
their local machine store or the Active Directory, not from the Other People
or Trusted People store on the server. It is not recommended to share files
that are encrypted on the server unless one of the following workarounds is
employed:

. The users have roaming user profiles

. EFS over WebDAV file sharing is used

. An alternate method for identifying the correct certificate is
provided (For example: Only publishing server created certificates to Active
Directory)
 
Thank you for the explaination & link. I'll have to digest this and experiment.
Once again, thanks.

Steven L Umbach said:
Microsoft does not recommend sharing EFS files on a network share unless the
users have roaming profiles due to the complexity of managing the user's EFS
certificates and private keys. You could probably work around not using
roaming profiles it if the user that you shared EFS with logged onto the
computer with the share that had the EFS files and that user then imported
his EFS certificate AND private key [that matches the thumbprint of what is
shown for his user account in AD] from a password protected .pfx file into
his user profile on that computer. When not using roaming profiles the user
must have a user profile that contains his EFS certificate/private key on
the computer that has the share with the EFS files. If the user does not
have a user profile on the server and encrypts a file on that server then
the server will create a mini profile for the user and request and receive
an EFS certificate/private key for the user but that certificate/private key
will be different than the one the user currently has on his workstation
causing confusion and possible access problems. The computer with the share
must also be trusted for delegation in it's computer account in Active
Directory in order to impersonate the user to request a user certificate
when needed. The link below explains more. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

File Sharing on Remote Servers
File sharing on remote servers that are trusted for delegation has some very
unique challenges regarding sharing certificates of other users. If the
users are not using roaming user profiles, then the server will be using
unique certificates for the users for the files encrypted on the server.
This condition exists despite the fact that the user may already have
enrolled for an EFS certificate and published that certificate to the Active
Directory. Effectively, the user will not know which certificate to choose
from the Active Directory when adding other users to an encrypted file.
There is no way to determine which certificate the server has used for
encryption.

This scenario is exacerbated by the fact that users choose certificates from
their local machine store or the Active Directory, not from the Other People
or Trusted People store on the server. It is not recommended to share files
that are encrypted on the server unless one of the following workarounds is
employed:

. The users have roaming user profiles

. EFS over WebDAV file sharing is used

. An alternate method for identifying the correct certificate is
provided (For example: Only publishing server created certificates to Active
Directory)



WHAT STEPS ARE REQUIRED TO "SUCCESSFULLY" SHARE EFS FILES IN A DOMAIN?
I logon to Active Directory domain and encrypt a folder having files.
I ADD to the "Users who can transparently access the file" a 2nd domain
user account by specifying the 2nd user account name and clicking FIND,
followed by selecting the 2nd user's published certificate from Active
Directory. This is called file sharing!
I logon to domain as 2nd account using same or different host PC and try
to
open the shared EFS file but get "access denied the file is read only or
encrypted."

WHAT ARE THE STEPS I NEED TO FOLLOW TO ENSURE ALL REQUIRED DOMAIN
CONFIGURATION (IF ANY) ARE NEEDED, EVEN IF I DO NOT WANT A RECOVERY AGENT.
AT
THIS POINT IN TIME?
 
Back
Top