EFS over the Network



Griff
07-09-2005, 11:53 PM
I am publishing User certs to active directory. Users are beginning to
encrypt files on the network. They are using self signed certs to do this.
You can add users who can access the data from within the EFS menu. However,
the user who's User cert is specified cannot connect to the network location
and access this file. Does it need to be mapped? Is this functionality not
possible? If not then what is the purpose of being to add other users? Any
help understanding this poriton of EFS would be great. Thank you in
advance.....

Steven L Umbach
07-09-2005, 11:53 PM
The links below are to EFS and may help. It sounds like that the user trying
to access the file does not have a profile on the server with his EFS
certificate/private key. Servers where files are being encrypted must be
trusted for delegation. Usually when a user is encrypting files on a server
share they will be using a different EFS certificate/private key than what
they use on their local computer. The server will create a mini profile for
them when they encrypt their first file with EFS on the server. You could
have the user that can not access the file encrypt a file on the server
share and then use that certificate for EFS file sharing or have the user
logon to the server and then import his current EFS certificate AND private
key via a password protected .pfx file that he exported from his computer.
Note that the certificate that is published in AD is only the "public key"
and can not be used to decrypt EFS files without the associated private key.
Also be very careful with EFS as it is not unusual for a user to lose
permanent access to their EFS files if their key becomes corrupted or
deleted. I would make sure that their is at least one Recovery Agent for the
domain. --- Steve


http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_umpb.asp
OR
http://tinyurl.com/c4ded

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS
best practices


"Griff" <Griff@discussions.microsoft.com> wrote in message
news:0DFE6811-50EA-435F-9B6B-49F63F642A30@microsoft.com...
>I am publishing User certs to active directory. Users are beginning to
> encrypt files on the network. They are using self signed certs to do this.
> You can add users who can access the data from within the EFS menu.
> However,
> the user who's User cert is specified cannot connect to the network
> location
> and access this file. Does it need to be mapped? Is this functionality not
> possible? If not then what is the purpose of being to add other users? Any
> help understanding this poriton of EFS would be great. Thank you in
> advance.....


EFS over the Network