EFS Recovery Agent

[Steven Bellamy]

Hi,

I am having a problem trying to decrypt information using a Recovery Agent.

We're running a W2K Adv Server SP3 in mixed mode.

I have setup EFS using a GPO for the domain. I have specified 3 user
accounts to be Recovery Agents for the domain, all of which are part of the
admin group.
I used the Wizard to add or create the RA's, I did not import any
certificates.

When I use efsinfo /u /r on an encrypted file, I get the following info.

test.txt: Encrypted
Users who can decrypt:
ABCDOMAIN\user (user([email protected]))
Recovery Agents:
Unknown (RA1([email protected]))
Unknown (RA2([email protected]))
Unknown (RA3([email protected]))

Does anyone know why the RA's have a domain of Unknown?
Is this possibly why I can't decrypt a file on a PC that has a recovery
agent certificate installed?

Thanks for your help!

 

[Steven L Umbach]

I don't know about the name issue offhand, but believe as long as the right
EFS RA private key has been imported to the computer where files need to be
recovered by the RA it should work. You can also use efsinfo to view
thumbprints to help match up the certificates that are RA. You need to have
a RA export their recovery certificate and private key to a .pfx file as
described in the KB article below to be able to import it to another
computer. Their certificate also needs to be a recovery certificate as
described on the certificate properties in the user certificate store
accessable through the mmc certificate snapin for users. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;242296
http://www.microsoft.com/windows2000/techinfo/planning/security/efssteps.asp

 

[Drew Cooper [MSFT]]

The name issue was a bug. It's a failed account lookup. There's a place in
each entry in the EFS metadata for an account SID. It makes sense for
users, but not RAs - there's really no way to know the RAs SID. So the
metadata doesn't hold anything useful in that field for an RA.
The old version of efsinfo treated RA data the same as user data and tried
to lookup an account name based on the (non-specified) SID. Whenever the
lookup failed, it would output "unknown user".
There's a newer version of efsinfo that doesn't try name lookup for RAs -
just skips that info. I don't know whether we checked a fix for this into
Win2k sources. I doubt it, though. It's a minor problem that doesn't block
anyone - not the kind of thing fixed with a service pack.

 

[Roger Abell [MVP]]

Thanks for the usable info Drew.
Roger

The name issue was a bug. It's a failed account lookup. There's a place in
each entry in the EFS metadata for an account SID. It makes sense for
users, but not RAs - there's really no way to know the RAs SID. So the
metadata doesn't hold anything useful in that field for an RA.
The old version of efsinfo treated RA data the same as user data and tried
to lookup an account name based on the (non-specified) SID. Whenever the
lookup failed, it would output "unknown user".
There's a newer version of efsinfo that doesn't try name lookup for RAs -
just skips that info. I don't know whether we checked a fix for this into
Win2k sources. I doubt it, though. It's a minor problem that doesn't block
anyone - not the kind of thing fixed with a service pack.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

I don't know about the name issue offhand, but believe as long as the right
EFS RA private key has been imported to the computer where files need to be
recovered by the RA it should work. You can also use efsinfo to view
thumbprints to help match up the certificates that are RA. You need to have
a RA export their recovery certificate and private key to a .pfx file as
described in the KB article below to be able to import it to another
computer. Their certificate also needs to be a recovery certificate as
described on the certificate properties in the user certificate store
accessable through the mmc certificate snapin for users. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;242296

http://www.microsoft.com/windows2000/techinfo/planning/security/efssteps.asp

of
the

 

[Roger Abell [MVP]]

You state that you did not import any certificate.
Do you mean that when viewing the EFS policies for the
domain you do not see the EFS DRAs defined, and when
logged in with one of the DRAs you do not see the DRA
EFS encryption cert in its certificates store ??

 

[Steven Bellamy]

Hi,

Thanks for all the feed back guys.
I managed to resolve the problem.
I was encrypting the files on a WinXP SP1 workstation, and trying to decrypt
on our W2K Adv Server.
The following KB Article helped resolve the problem, by setting XP to
encrypt data using the DESX algorithm (instead of the default AES_256
Algorithm which is understood by XP SP1 or later) I was able to remove the
encryption on the encrypted files using a RA.
http://support.microsoft.com/default.aspx?scid=kb;en-us;329741

Thanks once again!