Cannot Decrypt Files

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I am looged in to a standalone W2K machine as the user who encrypted the
files. Efsinfo and MMC Certificates have indicated that my certificate
thumbprints are the same. Efsinfo however states that the user is unknown
even though CN=<myuser>..not sure if that matters. An intersting side note
is that when I attempt to request a certificate with the same key from my
personal efs certificate I receive an error message stating that the selected
certificate has no private key. Any help would be appreciated.

TIA,
Robert
3 answers Last reply
More about cannot decrypt files
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    When you view your certificate in the mmc snapin for certificates for "user"
    and look at the general page it needs to show "you have a private key that
    corresponds to this certificate". If not you will not be able to access the
    EFS files with that certificate. Possibly at one time you exported the
    certificate and private key to a password protected .pfx file AND in the
    process checked the option to delete the private key?? If that is so, import
    the .pfx certificate/private key back into that computer to access the EFS
    files. Windows 2000 also requires a Recovery Agent for EFS which is the
    built in administrator account for a non domain computer which probably is
    what was referenced to as "unknown user". So try logging on as the built in
    administrator account to see if that works or importing the domain's RA
    certificate/private key from a .pfx file for it. Efsinfo /r shows RA
    information. In a domain the RA can typically be the built in administrator
    account for the domain and the best place too look for that certificate
    would be on the first domain controller in the domain which may be the pdc
    fsmo. You can not request a certificate with the same private key if the
    private key does not exist with the certificate which is why you get that
    message. FYI the EFS certificate/private key live in the users profile. So
    if you have a backup of the users profile for that installation of the
    operating system you may be able to restore a copy of the profile and thus
    the private key assuming the backup contained the private key. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316

    "Robert" <Robert@discussions.microsoft.com> wrote in message
    news:FF62B5A2-3172-47AD-B31B-261B26646219@microsoft.com...
    > Hi,
    >
    > I am looged in to a standalone W2K machine as the user who encrypted the
    > files. Efsinfo and MMC Certificates have indicated that my certificate
    > thumbprints are the same. Efsinfo however states that the user is unknown
    > even though CN=<myuser>..not sure if that matters. An intersting side
    > note
    > is that when I attempt to request a certificate with the same key from my
    > personal efs certificate I receive an error message stating that the
    > selected
    > certificate has no private key. Any help would be appreciated.
    >
    > TIA,
    > Robert
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steven,

    Thank you very much for your response.
    The general page does indeed show that I "have a private key that
    corresponds to this certificate". It does however say that "This CA Root
    certificate is not trusted." And also as a step in this ordeal I had in fact
    exported what I believed to be the certificate of my user to a .pfx file and
    have since imported it back into my personal certificate folder with no
    success in decrypting the files. Perhaps I did not import it correctly
    although I did receive the successful message...
    I have also logged in as the local administrator that Efsinfo indicated has
    a matching thumbprint to the RA and have not been able to decrypt.
    My laptop has been part of a domain in the past but is now a standalone in a
    workgroup. Could that possibly matter?

    Many thanks,
    Robert

    "Steven L Umbach" wrote:

    > When you view your certificate in the mmc snapin for certificates for "user"
    > and look at the general page it needs to show "you have a private key that
    > corresponds to this certificate". If not you will not be able to access the
    > EFS files with that certificate. Possibly at one time you exported the
    > certificate and private key to a password protected .pfx file AND in the
    > process checked the option to delete the private key?? If that is so, import
    > the .pfx certificate/private key back into that computer to access the EFS
    > files. Windows 2000 also requires a Recovery Agent for EFS which is the
    > built in administrator account for a non domain computer which probably is
    > what was referenced to as "unknown user". So try logging on as the built in
    > administrator account to see if that works or importing the domain's RA
    > certificate/private key from a .pfx file for it. Efsinfo /r shows RA
    > information. In a domain the RA can typically be the built in administrator
    > account for the domain and the best place too look for that certificate
    > would be on the first domain controller in the domain which may be the pdc
    > fsmo. You can not request a certificate with the same private key if the
    > private key does not exist with the certificate which is why you get that
    > message. FYI the EFS certificate/private key live in the users profile. So
    > if you have a backup of the users profile for that installation of the
    > operating system you may be able to restore a copy of the profile and thus
    > the private key assuming the backup contained the private key. --- Steve
    >
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
    >
    > "Robert" <Robert@discussions.microsoft.com> wrote in message
    > news:FF62B5A2-3172-47AD-B31B-261B26646219@microsoft.com...
    > > Hi,
    > >
    > > I am looged in to a standalone W2K machine as the user who encrypted the
    > > files. Efsinfo and MMC Certificates have indicated that my certificate
    > > thumbprints are the same. Efsinfo however states that the user is unknown
    > > even though CN=<myuser>..not sure if that matters. An intersting side
    > > note
    > > is that when I attempt to request a certificate with the same key from my
    > > personal efs certificate I receive an error message stating that the
    > > selected
    > > certificate has no private key. Any help would be appreciated.
    > >
    > > TIA,
    > > Robert
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    The certificate that says you have the private key for, try to export the
    certificate and private key to a password protected .pfx file to verify that
    the private key is intact and not corrupt. As far as the root CA not being
    trusted, I don't think that should matter for file encryption and
    decryption. When you try to import a certificate/private key for EFS, verify
    that it shows up in the mmc certificate snapin for user in the personal
    certificate folder. If not try to import it directly from that folder. Also
    while logged on as the built in administrator account, check to see if there
    is indeed a Recover Agent certificate/private key in the certificate store
    for user.

    As far as being in a domain. Did you use EFS as a domain user, local
    computer users, or both?? --- Steve


    "Robert" <Robert@discussions.microsoft.com> wrote in message
    news:2A817D0E-770D-4E89-88F3-AF4B53E510BF@microsoft.com...
    > Hi Steven,
    >
    > Thank you very much for your response.
    > The general page does indeed show that I "have a private key that
    > corresponds to this certificate". It does however say that "This CA Root
    > certificate is not trusted." And also as a step in this ordeal I had in
    > fact
    > exported what I believed to be the certificate of my user to a .pfx file
    > and
    > have since imported it back into my personal certificate folder with no
    > success in decrypting the files. Perhaps I did not import it correctly
    > although I did receive the successful message...
    > I have also logged in as the local administrator that Efsinfo indicated
    > has
    > a matching thumbprint to the RA and have not been able to decrypt.
    > My laptop has been part of a domain in the past but is now a standalone in
    > a
    > workgroup. Could that possibly matter?
    >
    > Many thanks,
    > Robert
    >
    > "Steven L Umbach" wrote:
    >
    >> When you view your certificate in the mmc snapin for certificates for
    >> "user"
    >> and look at the general page it needs to show "you have a private key
    >> that
    >> corresponds to this certificate". If not you will not be able to access
    >> the
    >> EFS files with that certificate. Possibly at one time you exported the
    >> certificate and private key to a password protected .pfx file AND in the
    >> process checked the option to delete the private key?? If that is so,
    >> import
    >> the .pfx certificate/private key back into that computer to access the
    >> EFS
    >> files. Windows 2000 also requires a Recovery Agent for EFS which is the
    >> built in administrator account for a non domain computer which probably
    >> is
    >> what was referenced to as "unknown user". So try logging on as the built
    >> in
    >> administrator account to see if that works or importing the domain's RA
    >> certificate/private key from a .pfx file for it. Efsinfo /r shows RA
    >> information. In a domain the RA can typically be the built in
    >> administrator
    >> account for the domain and the best place too look for that certificate
    >> would be on the first domain controller in the domain which may be the
    >> pdc
    >> fsmo. You can not request a certificate with the same private key if the
    >> private key does not exist with the certificate which is why you get that
    >> message. FYI the EFS certificate/private key live in the users profile.
    >> So
    >> if you have a backup of the users profile for that installation of the
    >> operating system you may be able to restore a copy of the profile and
    >> thus
    >> the private key assuming the backup contained the private key. --- Steve
    >>
    >> http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
    >>
    >> "Robert" <Robert@discussions.microsoft.com> wrote in message
    >> news:FF62B5A2-3172-47AD-B31B-261B26646219@microsoft.com...
    >> > Hi,
    >> >
    >> > I am looged in to a standalone W2K machine as the user who encrypted
    >> > the
    >> > files. Efsinfo and MMC Certificates have indicated that my certificate
    >> > thumbprints are the same. Efsinfo however states that the user is
    >> > unknown
    >> > even though CN=<myuser>..not sure if that matters. An intersting side
    >> > note
    >> > is that when I attempt to request a certificate with the same key from
    >> > my
    >> > personal efs certificate I receive an error message stating that the
    >> > selected
    >> > certificate has no private key. Any help would be appreciated.
    >> >
    >> > TIA,
    >> > Robert
    >>
    >>
    >>
Ask a new question

Read More

Security Microsoft Certificate Windows