EFS Certificate Self Signed Vs. User Cert



Griff
07-09-2005, 10:52 PM
I have setup my PKI and was able to designate a Recovery Agent through the
domain policy. When the users Encrypt on there local workstations they use
the User cert that I issued them. When they encrypt on the network it uses a
self signed cert. The RA still works but I would like to have everyone using
their User cert for EFS. What is the easiest way to make this happen??????
Thanks in advance for any help....

Brian Komar
07-09-2005, 10:52 PM
In article <2C25C08B-87DA-4E97-BAFF-7CF6FC523207@microsoft.com>,
Griff@discussions.microsoft.com says...
> I have setup my PKI and was able to designate a Recovery Agent through the
> domain policy. When the users Encrypt on there local workstations they use
> the User cert that I issued them. When they encrypt on the network it uses a
> self signed cert. The RA still works but I would like to have everyone using
> their User cert for EFS. What is the easiest way to make this happen??????
> Thanks in advance for any help....
>
This is the expected behavior. When you encrypt a file on a network
share using CIFS, the server impersonates the user, and performs the
encryption locally in the security context of the user (hence why the
server must be trusted for delegation).

Because the server cannot request a certificate from the CA, the server
generates a self signed certificate.

You can use the local EFS certificate (the one you want) by connecting
to the share by using WebDAV rather than CIFS. You must share the folder
as a Web Folder and then connect using HTTP rather than SMBs.

Brian
--
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian


EFS Certificate Self Signed Vs. User Cert