EFS recovery agent in Default Domain Policy with a self signed cer

[Guest]

I create a domain user EFSRecovery and apply Microsoft PSS ID 887414 for
create certificate for recovery.
Then, I add this certificate in default domain policy as EFS recovery agent
for domain.

With this solution is unable recovery files (in encripted files is visible
information about this certificate as recovery) but "access denied" is the
message.

If I create recovery certificate with microsoft CA work fine.

is this correct?, because I dont want install Microsoft CA.
Other solution is purchase a special certificate for domain recovery agent
and self-signed for my users.

thank for your help.

 

[Roger Abell [MVP]]

To define the recovery agent one needs to indicate this in
group policy as you have stated. To use the capability the
cert's private key needs to be imported into the account,
which you have not state doing.

Roger

 

[Guest]

ok.

I export key and certificate with cipher (using pss id 887414), then i
import this in domain GPO (efs recovert agents....) , also i import this in
AD (user-certificates published).
but this not work (this user is unable to open o disable encrytion in
files), when gpo update computers, this user is defined in each file as
recovery, but when this user logon an try open the message is "access denied).

If i create an certificate with MS CA, then this work OK.

 

[Roger Abell [MVP]]

You need to log into the account and use the Certificates utility
to import the private key into the account's private store.
All you have mentioned only made the public key available for
use when encrypting. The private key is needed in the account
in order to decrypt.

 

[Brian Komar]

ok.

I export key and certificate with cipher (using pss id 887414), then i
import this in domain GPO (efs recovert agents....) , also i import this in
AD (user-certificates published).
but this not work (this user is unable to open o disable encrytion in
files), when gpo update computers, this user is defined in each file as
recovery, but when this user logon an try open the message is "access denied).

If i create an certificate with MS CA, then this work OK.

<snip>
What you are forgetting is that EFS has nothing to do with the user
account, and everything to do with who owns/possesses the private key of
the EFS recovery agent.
Just logging in as the user will not work. It does work when you request
the certificate from the Microsoft CA because you are logging on *with* the
account that requested the certificate *at* the computer where you made the
request.
If you generate the certificate with cipher, you get to objects: a .cer
file which you correctly imported into AD, and a .pfx or .p12 file that you
must import into the local user account.
It does not matter which account in fact. Any account will do

HTH,
Brian

 

[Guest]

yes, i import pfx using local administrator account and work fine.
the question is why the same procedure dont work usign a domain account?
(this a minor problem for me, but i was tested this with error).

Thank you very much Brian and Roger.