EFS

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hallo,
I have a Windows 2000 Server with Active Directory and 10 Clients. Now, I
want to Data encryption on the Server. I have installed on a Windwos 2000
Server a CA. A User from a Workstation can encryption a File, this is ok. The
User allocate gets the Certificate.
Therewith, the System very safely the User want to safe the private key on
a Disk.
But, I cannot export the private key. This function cannot selected.
What can I do, at the Private key to export?
 
Roland Hübner said:
Hallo,
I have a Windows 2000 Server with Active Directory and 10 Clients. Now, I
want to Data encryption on the Server. I have installed on a Windwos 2000
Server a CA.
Click to expand...

Is it an "Enterprise CA" ? A stand-alone CA cannot auto-issue
the domain certificates for EFS.

Microsoft SHOULD have named 'Enterprise' as an AD CA or
as an AD-Enterprise CA to help explain this key point.
A User from a Workstation can encryption a File, this is ok. The
User allocate gets the Certificate.
Therewith, the System very safely the User want to safe the private key on
a Disk.
Click to expand...

The default policy for these keys is not "exportable" that can be
changed. Search Google for "changing certificate policy" and "exportable"
or some such.
But, I cannot export the private key. This function cannot selected.
What can I do, at the Private key to export?
Click to expand...

You cannot export that key, but you can change the policy and
issue new certificates.

BTW, WHY do you wish to allow the certificates to be exported?

There are reasons, but there are also significant security risks and
we might be able to solve the "real problem" another (better) way....
 
You can not export the private key for the user they must do that
themselves. While the user is logged on have them use the mmc snapin for
certificates for "user" and go to their personal/certificates folder. When
they find their certificate for Encrypted File System [or possibly user
certificate] have them right click the certificate, select all tasks and
export. The certificate used for EFS should have the ability to export their
private key [assuming the private key is present] unless at one time the
user exported and deleted it and then when importing it back into their
computer did not select the option to allow the private key to be exported.
The link below may be of help and see the section for how to backup your
certificate though it shows how to do such via Internet Explorer as another
possible way to do it.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
 
Hallo,
I have installated on my Windows 2000 Server a "Enterprice root CA".
I open the mmc on a Workstation with the Certificate Snap-In. I select
"Certificate Manager" then "Active Directoy User Opject". Now, appears my
Certificate of efs.
If I want to export this certificate then I cannot to select the private Key.
Under "Certificate Manager" "Personal" isn`t a certificate. I can create
under "Personal" my own certificate of efs, I open the "Internet explorer"
and my address of Root CA, for excample: http://servername/certsrv. I create
a certificate of efs with a "private Key" that can I export. Problem: If I
create a File on the Server und encryption this file, then will encrytion
this file with Certifivate under "Active Directory User Opject.
Why? Can I configure the CA, that takes my own Certificate?
Or, Can I of Administrator to create a Certificate with a "private key" of
export and this is available on the Domäne? Or I must delete the EFS-Template?
Thank you!
 
Keys can be marked as either exportable OR NOT, when
the certificate is created. It is part of the Certificate Policy
whether to allow the choice usually.
 
I am not quite sure what you are trying to accomplish but to export an EFS
certificate and private key the user that "owns" that certificate/private
key needs to logon to the computer where the EFS certificate/private key
lives and then use mmc snapin for "certificates" - my user account and then
go to the personal\certificates folder. I don't know what you are trying to
do with Certificate Manager" then "Active Directory User Opject?? If you go
to a user account in Active Directory Users and Computers you can see the
certificates that are mapped in AD to a users account but that is the
"public key" only. You must export from the computer where the certificate
and the private key are shown via mmc snapin for my user account. ---
Steve
 
When a user encrypts a file remotely on a server, the EFS certificate/key is
generated for the user on the server. (A profile is created for the user on
the server and the certificate/key are stored in that profile.) If you want
to back up that certificate/key, you would have to log onto the server as the
user in order to access the profile data. (The certificate/private key can
only be backed up from the Certificates > Personal store for that user.) If
you configure your user to have a roaming profile, the server will use the
EFS certificate/key from the roaming profile (or generate a certificate/key
for that profile if it has none). The user will then be able to access the
same certificate/key from their roaming profile on their workstations and
back them up there.

Thanks.
Pat
 
Pat Hoffer said:
When a user encrypts a file remotely on a server, the EFS certificate/key is
generated for the user on the server. (A profile is created for the user on
the server and the certificate/key are stored in that profile.)
Click to expand...

The above is inaccurate or misleading at best.

A roaming profile might be created
on SOME server if you set it up that way, but the location of
the roaming profile is totally unrelated to the file server where
the user encrypts files.

If they happen to be the same server that is merely an accident
and never automatic (admin must setup for roaming profiles.)
If you want
to back up that certificate/key, you would have to log onto the server as the
user in order to access the profile data.
Click to expand...

Login as the user is correct but you could logon from any machine
in the domain (trust relationship actually) where the profile was
available.
(The certificate/private key can
only be backed up from the Certificates > Personal store for that user.) If
you configure your user to have a roaming profile, the server will use the
EFS certificate/key from the roaming profile (or generate a certificate/key
for that profile if it has none).
Click to expand...

Actually this is the profile that will store the users file keys.

There is no separate profile just because of EFS.
The user will then be able to access the
same certificate/key from their roaming profile on their workstations and
back them up there.
Click to expand...

Are you saying a user with a non-roaming profile will actually
have a server specific certificate stored on that particular server?

Do you have a reference for this behavior...?
 
microsoft.public.win2000.security news group, Herb Martin
The above is inaccurate or misleading at best.
Click to expand...

Actually, the above is completely accurate. What you've posted is
inaccurate or misleading at best.
A roaming profile might be created
on SOME server if you set it up that way, but the location of
the roaming profile is totally unrelated to the file server where
the user encrypts files.
Click to expand...

Wrong. No one is talking about roaming user profiles here.
If they happen to be the same server that is merely an accident
and never automatic (admin must setup for roaming profiles.)
Click to expand...

Wrong again.
Login as the user is correct but you could logon from any machine
in the domain (trust relationship actually) where the profile was
available.
Click to expand...

Wrong again.
Actually this is the profile that will store the users file keys.

There is no separate profile just because of EFS.
Click to expand...

Wrong again.
Are you saying a user with a non-roaming profile will actually
have a server specific certificate stored on that particular server?

Do you have a reference for this behavior...?
Click to expand...

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/e
n-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-
us/prnb_efs_umpb.asp

or

http://tinyurl.com/c4ded


--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea
 
Here's a deeper link:
http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prnb_efs_hzqx.asp
Look under Ch 17 Encrypting File System > Remote EFS Operations... > Remote
EFS Operations in a File Share Environment.

Note that if you're using Web folders, rather than file shares, for remote
encryption, the encryption/decryption process takes place on the workstations
rather than the servers; so the EFS certificates/keys are generated and
stored in profiles on the workstations.

Thanks.
Pat
 
Back
Top