Problem with CA

[Niro]

I've recently installed a CA in our windows 2003 domain and I'm having
a few problems with EFS certificates.

This is a windows 2003 domain using local profiles (not roaming).

I requested a certificate from the CA from my workstation and
installed it. So now I have a certificate on my PC (call it PC A)
under my profile (call it USER A) with a private key...thumbprint
starts with 1E8F, this is varified with efsinfo /Y which displays the
right thumbprint...and encrypting files on PC A works properly...the
file gets the right certificate thumbprint (verified with efsinfo /C).

Now, I export the certificatate on PC A to a file with the private key
and login to the file server (PC B) as USER A. I then import the
certificate with the private key, and the PC now has the proper
certificate, using efsinfo /Y to verify that the certificate
thumbprint is the 1E8F certificate.

Now PC A and PC B have USER A's local profiles with the certificate
including the private key.

The problem I'm having is when I'm logged in to PC A, I encrypt a file
on a shared folder in PC B...but the certificate thumbprint on that
file is something completely different (starts with 68ED for example).
I have no idea where it's getting this thumbprint, I checked the
certificates on both PC A and PC B and can't find a certificate
matching that thumbprint. Also...when logged in to PC B (after
encrypting the file from PC A) I can't access that file.

If I encrypt a file on PC B from PC B...I can access it fine from PC B
but not from PC A...and the file thumbprint when encrypting from PC B
is the right thumbprint...1E8F.

So what am I doing wrong??

Thanks,
Mike

 

[Niro]

Also...in AD, the "trust computer for delegation" option is enabled on
the file server.

-Mike

 

[Drew Cooper [MSFT]]

This doesn't seem to have anything to do with the CA, but with remote EFS
(over the SMB redirector).

- You don't need the certificate and private key on PC A. All of the EFS
operations will happen on PC B.
- The certificate and private key need to be in the user profile on PC B for
the user you're connecting as from PC A.

If that doesn't lead you to a solution for your problem, please post again -
I'll keep my eye on this thread.

 

[Niro]

Thanks for the quick reply. I actually got this process to work well
on one of our win2k3 servers....creating local profiles on the server
and importing the certificate to it, I'm able to encrypt files and
access them from other PC's.

I am having problems doing that on our 2k server (we only have
one...and it happens to be our file server also). I created a local
profile (USER A) on the 2k server and imported the certificate with
the private key. But when I encrypt files on that server through a
network share using USER A from a different PC...the file gets a
completely different thumbprint still...and I have no idea where it's
getting that thumbprint. I've looked thru both the local profile on
the server and on the PC..and I can't find that thumbprint. Do win2k
server just not work well with certificates?

-Mike

 

[niro]

I'm having another related problem...I tried using the certificate
(the certificate I requested was an administrator certificate) to
encrypt email...but I don't see any digital certificates in the
outlook XP options...the digital signature button under the security
tab is grayed out. Also...I tried selecting the "encrypt all outgoing
messages" option in outlook...and when I try to send out an email I
get the message "error with underlying security" or something l ike
that.

I even tried getting an exchange user certificate to see if it's a
problem with the admin cert...but I get the same problems after
installing the exchange user cert.


Thanks,
Mike

 

[Drew Cooper [MSFT]]

Remote EFS works against a Win2k server, too. If you could encrypt a file
remotely on the Win2k server there must be a profile created on the server
for that user. The cert should be there.
Hunch: There was a problem loading the user profile and a new profile was
created on the server. Whether this is true should be obvious by looking at
the profile directory names on the server - if there's a second one with the
name of your user in it, that's what happened. In case of profile load
errors, you might want to check the event logs next.

 

[Drew Cooper [MSFT]]

An EFS key pair won't do mail signing or encryption. You should request a
different cert from a CA for that.

Note also: You wouldn't want to encrypt an email with your own cert - you
would want to encrypt it with the recipient's.