WinXP Encryption Added users "Access denied"

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.security.crypto,microsoft.public.windowsxp.security_admin (More info?)

Hi,

I'm running WindowsXP, SP2 on a LAN w/ a Win2K server acting as domain and
exchange server running small business server 2003. Trying to encrypt files
on server and allow access by multiple users on the network. Using as my
guide the microsoft document:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sharefilesefs.mspx

PC1 user1,PC2 user2 both have r/w access to a shared drive on the server.

As user1(w/admin privileges), from PC1(NOT the server), I encrypt a file on
a shared drive residing on the server.

Then I get on PC2 as user2 and encrypt a test file on PC2 to generate a
certificate/key. I then export the cert to a drive accessible by PC1.

On PC1, I import the cert, and stick it in the Trusted Root Certification
Store.

Next, on PC1, I do a right click-->properties-->advanced and go into the
Details tab and Add user2 from PC2.

Most of the time I can look at the properties of the encrypted file from
both computers/users and see the two users in there under details.*

From PC1,user1, I can see the file contents.
From PC2,user2, I get access denied.

*I have noticed that sometimes when I try to look at the properties for the
encrypted file from PC1 or PC2, it takes a while, and sometimes clicking on
the advanced button takes a really long time (I kiiled the app from task mgr
after 10 minutes) AND causes other people on the network to have problems
accessing their outlook email.

Next, I went thru the same procedure with a file on PC1 which was in a
shared folder with r/w accessibilty for PC2/user2. I saw the same behavior
as above except I can always get the properties and advanced/detail panels
to come up without delay or appreciable network impact, e.g.:

From PC1,user1, I can see the file contents.
From PC2,user2, I get access denied.

In the first case, sharing a file on the server, I can see that there might
be some operating system conflict (Win2K as the server, WinXP as the client)
but in the second case, sharing a file on the Peer PC1, I'm unclued.

Has anyone else seen this behavior or does anyone see what I'm doing wrong?
Thanks.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin,microsoft.public.security.crypto (More info?)

The documentation applies to sharing encrypted files between users who log
onto the same computer--in other words, both users have profiles and EFS
certificates/keys on the same PC. If you want to enable the users to access
those local files from a second computer, you must configure the first
computer to be trusted for delegation and share out the files.

If you want to share files that have been encrypted on a remote server, you
will have more success by using roaming profiles for the users. Configure
the profiles to be roaming, log onto a domain PC as each user and
install/create an EFS certificate for the user (encrypt a file), and then
publish that certificate to the AD (so it can be added to files). When the
user encrypts a file on the remote server for the first time, the server will
use the certificate from the user's roaming profile. Be sure when you are
adding users' certificates to remote files on the server that you are adding
the certificates that are stored in their roaming profiles.

Hope that helps.
Pat

--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Rilje" wrote:

> Hi,
>
> I'm running WindowsXP, SP2 on a LAN w/ a Win2K server acting as domain and
> exchange server running small business server 2003. Trying to encrypt files
> on server and allow access by multiple users on the network. Using as my
> guide the microsoft document:
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sharefilesefs.mspx
>
> PC1 user1,PC2 user2 both have r/w access to a shared drive on the server.
>
> As user1(w/admin privileges), from PC1(NOT the server), I encrypt a file on
> a shared drive residing on the server.
>
> Then I get on PC2 as user2 and encrypt a test file on PC2 to generate a
> certificate/key. I then export the cert to a drive accessible by PC1.
>
> On PC1, I import the cert, and stick it in the Trusted Root Certification
> Store.
>
> Next, on PC1, I do a right click-->properties-->advanced and go into the
> Details tab and Add user2 from PC2.
>
> Most of the time I can look at the properties of the encrypted file from
> both computers/users and see the two users in there under details.*
>
> From PC1,user1, I can see the file contents.
> From PC2,user2, I get access denied.
>
> *I have noticed that sometimes when I try to look at the properties for the
> encrypted file from PC1 or PC2, it takes a while, and sometimes clicking on
> the advanced button takes a really long time (I kiiled the app from task mgr
> after 10 minutes) AND causes other people on the network to have problems
> accessing their outlook email.
>
> Next, I went thru the same procedure with a file on PC1 which was in a
> shared folder with r/w accessibilty for PC2/user2. I saw the same behavior
> as above except I can always get the properties and advanced/detail panels
> to come up without delay or appreciable network impact, e.g.:
>
> From PC1,user1, I can see the file contents.
> From PC2,user2, I get access denied.
>
> In the first case, sharing a file on the server, I can see that there might
> be some operating system conflict (Win2K as the server, WinXP as the client)
> but in the second case, sharing a file on the Peer PC1, I'm unclued.
>
> Has anyone else seen this behavior or does anyone see what I'm doing wrong?
> Thanks.
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin,microsoft.public.security.crypto (More info?)

I'm running WindowsXP, SP2 on a LAN w/ a Win2K server acting as domain and
exchange server running small business server 2003.

THanks Pat. I read a microsoft page that suggested using Web Folders
(Network Places) instead of shared folders.

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_hzqx.asp

Apparently, encryption of a Web Folder doesn't require trusting for
delegation or Roaming Users. Sounded great. SO I:

-Created a new Network Place pointing to the folder on the server.
-went into My Network Places, right clicked on the folder, clicked
properties, advanced, then checked the encryption.
-checked encrypt folders and files
-clicked OK. (properties dialog)
-Then my computer hung on the properties window and after a few minutes, it
said "Not Responding" in the title bar.

....Uh Oh

-Then another user went on a lunch break because Outlook was hanging for
her. She had a white screen with a title bar. THis was about 5 minutes
after I clicked OK on the properties dialog.
-So I killed it (My Network Places) in the task manager, and everything on
my task bar disappeared.
-Restarted my computer and after a long delay at login, got in, everything
seemed normal. I could even check my Outlook.
-I tried logging in on the other (lunch break) user's pc using their login,
and it took a long time. Once it let me in, outlook still wouldn't work.
-After about twenty minutes, everybody started having problems getting into
outlook and other server applications started having problems.
-Went to the server, hit ctrlaltdel, and the login took a few minutes to
come up. Once it did, it wouldn't accept the admin password (kept saying it
was the wrong password, can't remember exact message, but looked like
standard msg "The domain couldn't log you on...").
-Did hard reboot of the server, everything seems normal.
-Checked the folder I tried to encrypt, none of it seems to be encrypted.

I noticed similar behavior before when I tried to encrypt shared folders.
The first time I encrypted a shared folder on the server from my computer,
it encrypted the folder and there was no noticable network impact. The
second time, the events described above after "...Uh Oh" occured. The same
user that had the initial outlook problem was the first to have a problem
(we have the same last name..). At the time, I harbored the dim hope that
this was merely coincidence.

Another symptom is when I go to the successfully encrypted shared folder and
do a right click, properties on the file, it takes a while to give me the
properties screen. Then I click on Advanced, and it hangs. I find that if
I quickly kill the app., no further network problems manifest.

Anywhere you can direct me to troubleshoot this? THanks in advance.


"Pat Hoffer [MSFT]" <pathoff@online.microsoft.com> wrote in message
news:65D5DA03-3980-4CAF-A20E-AEE4DBDA7898@microsoft.com...
> The documentation applies to sharing encrypted files between users who log
> onto the same computer--in other words, both users have profiles and EFS
> certificates/keys on the same PC. If you want to enable the users to
> access
> those local files from a second computer, you must configure the first
> computer to be trusted for delegation and share out the files.
>
> If you want to share files that have been encrypted on a remote server,
> you
> will have more success by using roaming profiles for the users. Configure
> the profiles to be roaming, log onto a domain PC as each user and
> install/create an EFS certificate for the user (encrypt a file), and then
> publish that certificate to the AD (so it can be added to files). When
> the
> user encrypts a file on the remote server for the first time, the server
> will
> use the certificate from the user's roaming profile. Be sure when you are
> adding users' certificates to remote files on the server that you are
> adding
> the certificates that are stored in their roaming profiles.
>
> Hope that helps.
> Pat
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Rilje" wrote:
>
>> Hi,
>>
>> I'm running WindowsXP, SP2 on a LAN w/ a Win2K server acting as domain
>> and
>> exchange server running small business server 2003. Trying to encrypt
>> files
>> on server and allow access by multiple users on the network. Using as my
>> guide the microsoft document:
>>
>> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sharefilesefs.mspx
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin,microsoft.public.security.crypto (More info?)

I have had some, but not much, experience encrypting files on WebDAV shares
and never saw what you experienced. (What a day!) Perhaps your WebDAV share
is not configured as it needs to be--though it sounds like you're familiar
with that setup. Here's a couple of links that might help:

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/844f5e01-4b9e-4dac-897e-2a0bb33f28af.mspx

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wcewebsr/html/ceconConfiguringWebDAVServer.asp

Sorry I can't give you a definite answer on why it didn't work. Maybe
someone else out there has some ideas. Good luck.

Thanks.
Pat
--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Rilje" wrote:

> I'm running WindowsXP, SP2 on a LAN w/ a Win2K server acting as domain and
> exchange server running small business server 2003.
>
> THanks Pat. I read a microsoft page that suggested using Web Folders
> (Network Places) instead of shared folders.
>
> http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_hzqx.asp
>
> Apparently, encryption of a Web Folder doesn't require trusting for
> delegation or Roaming Users. Sounded great. SO I:
>
> -Created a new Network Place pointing to the folder on the server.
> -went into My Network Places, right clicked on the folder, clicked
> properties, advanced, then checked the encryption.
> -checked encrypt folders and files
> -clicked OK. (properties dialog)
> -Then my computer hung on the properties window and after a few minutes, it
> said "Not Responding" in the title bar.
>
> ....Uh Oh
>
> -Then another user went on a lunch break because Outlook was hanging for
> her. She had a white screen with a title bar. THis was about 5 minutes
> after I clicked OK on the properties dialog.
> -So I killed it (My Network Places) in the task manager, and everything on
> my task bar disappeared.
> -Restarted my computer and after a long delay at login, got in, everything
> seemed normal. I could even check my Outlook.
> -I tried logging in on the other (lunch break) user's pc using their login,
> and it took a long time. Once it let me in, outlook still wouldn't work.
> -After about twenty minutes, everybody started having problems getting into
> outlook and other server applications started having problems.
> -Went to the server, hit ctrlaltdel, and the login took a few minutes to
> come up. Once it did, it wouldn't accept the admin password (kept saying it
> was the wrong password, can't remember exact message, but looked like
> standard msg "The domain couldn't log you on...").
> -Did hard reboot of the server, everything seems normal.
> -Checked the folder I tried to encrypt, none of it seems to be encrypted.
>
> I noticed similar behavior before when I tried to encrypt shared folders.
> The first time I encrypted a shared folder on the server from my computer,
> it encrypted the folder and there was no noticable network impact. The
> second time, the events described above after "...Uh Oh" occured. The same
> user that had the initial outlook problem was the first to have a problem
> (we have the same last name..). At the time, I harbored the dim hope that
> this was merely coincidence.
>
> Another symptom is when I go to the successfully encrypted shared folder and
> do a right click, properties on the file, it takes a while to give me the
> properties screen. Then I click on Advanced, and it hangs. I find that if
> I quickly kill the app., no further network problems manifest.
>
> Anywhere you can direct me to troubleshoot this? THanks in advance.
>
>
> "Pat Hoffer [MSFT]" <pathoff@online.microsoft.com> wrote in message
> news:65D5DA03-3980-4CAF-A20E-AEE4DBDA7898@microsoft.com...
> > The documentation applies to sharing encrypted files between users who log
> > onto the same computer--in other words, both users have profiles and EFS
> > certificates/keys on the same PC. If you want to enable the users to
> > access
> > those local files from a second computer, you must configure the first
> > computer to be trusted for delegation and share out the files.
> >
> > If you want to share files that have been encrypted on a remote server,
> > you
> > will have more success by using roaming profiles for the users. Configure
> > the profiles to be roaming, log onto a domain PC as each user and
> > install/create an EFS certificate for the user (encrypt a file), and then
> > publish that certificate to the AD (so it can be added to files). When
> > the
> > user encrypts a file on the remote server for the first time, the server
> > will
> > use the certificate from the user's roaming profile. Be sure when you are
> > adding users' certificates to remote files on the server that you are
> > adding
> > the certificates that are stored in their roaming profiles.
> >
> > Hope that helps.
> > Pat
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >
> >
> > "Rilje" wrote:
> >
> >> Hi,
> >>
> >> I'm running WindowsXP, SP2 on a LAN w/ a Win2K server acting as domain
> >> and
> >> exchange server running small business server 2003. Trying to encrypt
> >> files
> >> on server and allow access by multiple users on the network. Using as my
> >> guide the microsoft document:
> >>
> >> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sharefilesefs.mspx
> >>
>
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom