Certificate not shown with efsinfo /y

[Bert Roos]

Hi,

I've an EFS certificate that shows up in the certificates MMC snapin that's
not shown with efsinfo /y.
This certificate was first requested from the CA on computer A, by user U.
User U exported this certificate (with the private key) and imported it on
computer B (both computers A and B as well as user U are part of the same
ADS domain). When typing efsinfo /y on computer A, the certificate is shown,
but not on computer B.

Any help on how to resolve this, whould be greatly apprecieated.

Thanks, Bert Roos

(please reply to group).

 

[Drew Cooper [MSFT]]

"efsinfo /y" shows the user's current EFS cert hash. It's considered
"current" once it's been used to encrypt something on the machine. I don't
recall whether enrollment also sets the reg value that makes this "current".
Autoenrollment updating the cert should update the "current" cert, though.

Oh - and the pfx wizard doesn't set the reg value.

Quick and dirty way to make sure "efsinfo /y" shows the thumbnail even after
an import w/ the pfx wizard: create a small temporary file, encrypt it
(which sets the reg value), then delete the file.

 

[Bert Roos]

Thanks Drew, that indeed makes efsinfo/y show the certificate. But to be
honest, that was not my real problem. I was hoping that I could access
encrypted files on a remote computer once the certificate was shown by
efsinfo.
So the real problem is that I have encrypted files on computer A. I've
exported the certificate on A and imported it on computer B. Now I expected
to be able to remotely read the encrypted files on computer A. To accomplish
that, I use a single domain account and both computers are part of that same
ADS domain.

When I type efsinfo /y /c on computer B, I see that the thumb print of the
users who can access the encrypted remote files, is identical to the current
user EFS certificate, but when I try to read such a file, I get 'access
denied'.

Hope you know the fix for this one too!

Regards, Bert

"efsinfo /y" shows the user's current EFS cert hash. It's considered
"current" once it's been used to encrypt something on the machine. I don't
recall whether enrollment also sets the reg value that makes this "current".
Autoenrollment updating the cert should update the "current" cert, though.

Oh - and the pfx wizard doesn't set the reg value.

Quick and dirty way to make sure "efsinfo /y" shows the thumbnail even after
an import w/ the pfx wizard: create a small temporary file, encrypt it
(which sets the reg value), then delete the file.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi,

I've an EFS certificate that shows up in the certificates MMC snapin that's
not shown with efsinfo /y.
This certificate was first requested from the CA on computer A, by user U.
User U exported this certificate (with the private key) and imported it on
computer B (both computers A and B as well as user U are part of the same
ADS domain). When typing efsinfo /y on computer A, the certificate is shown,
but not on computer B.

Any help on how to resolve this, whould be greatly apprecieated.

Thanks, Bert Roos

(please reply to group).

 

[David Cross [MS]]

Is the remote machine joined to AD and the machine account trsuted for
delegation? did you import the cert and private key under the same domain
user account on the second machine?

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Thanks Drew, that indeed makes efsinfo/y show the certificate. But to be
honest, that was not my real problem. I was hoping that I could access
encrypted files on a remote computer once the certificate was shown by
efsinfo.
So the real problem is that I have encrypted files on computer A. I've
exported the certificate on A and imported it on computer B. Now I expected
to be able to remotely read the encrypted files on computer A. To accomplish
that, I use a single domain account and both computers are part of that same
ADS domain.

When I type efsinfo /y /c on computer B, I see that the thumb print of the
users who can access the encrypted remote files, is identical to the current
user EFS certificate, but when I try to read such a file, I get 'access
denied'.

Hope you know the fix for this one too!

Regards, Bert

"efsinfo /y" shows the user's current EFS cert hash. It's considered
"current" once it's been used to encrypt something on the machine. I don't
recall whether enrollment also sets the reg value that makes this "current".
Autoenrollment updating the cert should update the "current" cert, though.

Oh - and the pfx wizard doesn't set the reg value.

Quick and dirty way to make sure "efsinfo /y" shows the thumbnail even after
an import w/ the pfx wizard: create a small temporary file, encrypt it
(which sets the reg value), then delete the file.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi,

I've an EFS certificate that shows up in the certificates MMC snapin that's
not shown with efsinfo /y.
This certificate was first requested from the CA on computer A, by

user

U.

it

on

 

[Bert Roos]

Hi David,

Thanks for replying. Both machines joined the same AD and I imported the
certificate and private key under the same user domain user account.
However, none of the two machines is trusted for delegation, so I assume
that's the cause of the problem. I quickly scanned the document you referred
to. Is it a correct conclusion that the server that's hosting the encrypted
files, should be trusted for delegation to allow remote access to encrypted
files stored on that serer?

Regards, Bert

Is the remote machine joined to AD and the machine account trsuted for
delegation? did you import the cert and private key under the same domain
user account on the second machine?

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Thanks Drew, that indeed makes efsinfo/y show the certificate. But to be
honest, that was not my real problem. I was hoping that I could access
encrypted files on a remote computer once the certificate was shown by
efsinfo.
So the real problem is that I have encrypted files on computer A. I've
exported the certificate on A and imported it on computer B. Now I expected
to be able to remotely read the encrypted files on computer A. To accomplish
that, I use a single domain account and both computers are part of that same
ADS domain.

When I type efsinfo /y /c on computer B, I see that the thumb print of the
users who can access the encrypted remote files, is identical to the current
user EFS certificate, but when I try to read such a file, I get 'access
denied'.

Hope you know the fix for this one too!

Regards, Bert

"efsinfo /y" shows the user's current EFS cert hash. It's considered
"current" once it's been used to encrypt something on the machine. I don't
recall whether enrollment also sets the reg value that makes this "current".
Autoenrollment updating the cert should update the "current" cert, though.

Oh - and the pfx wizard doesn't set the reg value.

Quick and dirty way to make sure "efsinfo /y" shows the thumbnail even after
an import w/ the pfx wizard: create a small temporary file, encrypt it
(which sets the reg value), then delete the file.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


Hi,

I've an EFS certificate that shows up in the certificates MMC snapin
that's
not shown with efsinfo /y.
This certificate was first requested from the CA on computer A, by

user

U.
User U exported this certificate (with the private key) and imported

it

on
computer B (both computers A and B as well as user U are part of the same
ADS domain). When typing efsinfo /y on computer A, the certificate is
shown,
but not on computer B.

Any help on how to resolve this, whould be greatly apprecieated.

Thanks, Bert Roos

(please reply to group).

 

[Bert Roos]

Hi David,

I made the server trusted for delegation and now it works fine.

Thanks for the support!
Bert Roos

Is the remote machine joined to AD and the machine account trsuted for
delegation? did you import the cert and private key under the same domain
user account on the second machine?

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Thanks Drew, that indeed makes efsinfo/y show the certificate. But to be
honest, that was not my real problem. I was hoping that I could access
encrypted files on a remote computer once the certificate was shown by
efsinfo.
So the real problem is that I have encrypted files on computer A. I've
exported the certificate on A and imported it on computer B. Now I expected
to be able to remotely read the encrypted files on computer A. To accomplish
that, I use a single domain account and both computers are part of that same
ADS domain.

When I type efsinfo /y /c on computer B, I see that the thumb print of the
users who can access the encrypted remote files, is identical to the current
user EFS certificate, but when I try to read such a file, I get 'access
denied'.

Hope you know the fix for this one too!

Regards, Bert

"efsinfo /y" shows the user's current EFS cert hash. It's considered
"current" once it's been used to encrypt something on the machine. I don't
recall whether enrollment also sets the reg value that makes this "current".
Autoenrollment updating the cert should update the "current" cert, though.

Oh - and the pfx wizard doesn't set the reg value.

Quick and dirty way to make sure "efsinfo /y" shows the thumbnail even after
an import w/ the pfx wizard: create a small temporary file, encrypt it
(which sets the reg value), then delete the file.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


Hi,

I've an EFS certificate that shows up in the certificates MMC snapin
that's
not shown with efsinfo /y.
This certificate was first requested from the CA on computer A, by

user

U.
User U exported this certificate (with the private key) and imported

it

on
computer B (both computers A and B as well as user U are part of the same
ADS domain). When typing efsinfo /y on computer A, the certificate is
shown,
but not on computer B.

Any help on how to resolve this, whould be greatly apprecieated.

Thanks, Bert Roos

(please reply to group).