Sign in with
Sign up | Sign in
Your question

EFS

Last response: in Windows 2000/NT
Share
Anonymous
June 7, 2005 3:33:27 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hallo,
I have a Windows 2000 Server with Active Directory and 10 Clients. Now, I
want to Data encryption on the Server. I have installed on a Windwos 2000
Server a CA. A User from a Workstation can encryption a File, this is ok. The
User allocate gets the Certificate.
Therewith, the System very safely the User want to safe the private key on
a Disk.
But, I cannot export the private key. This function cannot selected.
What can I do, at the Private key to export?

More about : efs

Anonymous
June 7, 2005 9:46:41 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Roland Hübner" <Roland Hbner@discussions.microsoft.com> wrote in message
news:09A6E48F-FE98-4392-8DD1-524ACBEA3FFC@microsoft.com...
> Hallo,
> I have a Windows 2000 Server with Active Directory and 10 Clients. Now, I
> want to Data encryption on the Server. I have installed on a Windwos 2000
> Server a CA.

Is it an "Enterprise CA" ? A stand-alone CA cannot auto-issue
the domain certificates for EFS.

Microsoft SHOULD have named 'Enterprise' as an AD CA or
as an AD-Enterprise CA to help explain this key point.

>A User from a Workstation can encryption a File, this is ok. The
> User allocate gets the Certificate.
> Therewith, the System very safely the User want to safe the private key
on
> a Disk.

The default policy for these keys is not "exportable" that can be
changed. Search Google for "changing certificate policy" and "exportable"
or some such.

> But, I cannot export the private key. This function cannot selected.
> What can I do, at the Private key to export?

You cannot export that key, but you can change the policy and
issue new certificates.

BTW, WHY do you wish to allow the certificates to be exported?

There are reasons, but there are also significant security risks and
we might be able to solve the "real problem" another (better) way....

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Anonymous
June 8, 2005 4:14:19 AM

Archived from groups: microsoft.public.win2000.security (More info?)

You can not export the private key for the user they must do that
themselves. While the user is logged on have them use the mmc snapin for
certificates for "user" and go to their personal/certificates folder. When
they find their certificate for Encrypted File System [or possibly user
certificate] have them right click the certificate, select all tasks and
export. The certificate used for EFS should have the ability to export their
private key [assuming the private key is present] unless at one time the
user exported and deleted it and then when importing it back into their
computer did not select the option to allow the private key to be exported.
The link below may be of help and see the section for how to backup your
certificate though it shows how to do such via Internet Explorer as another
possible way to do it.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316

"Roland Hübner" <Roland Hübner@discussions.microsoft.com> wrote in message
news:09A6E48F-FE98-4392-8DD1-524ACBEA3FFC@microsoft.com...
> Hallo,
> I have a Windows 2000 Server with Active Directory and 10 Clients. Now, I
> want to Data encryption on the Server. I have installed on a Windwos 2000
> Server a CA. A User from a Workstation can encryption a File, this is ok.
> The
> User allocate gets the Certificate.
> Therewith, the System very safely the User want to safe the private key
> on
> a Disk.
> But, I cannot export the private key. This function cannot selected.
> What can I do, at the Private key to export?
Related resources
Anonymous
June 8, 2005 4:49:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hallo,
I have installated on my Windows 2000 Server a "Enterprice root CA".
I open the mmc on a Workstation with the Certificate Snap-In. I select
"Certificate Manager" then "Active Directoy User Opject". Now, appears my
Certificate of efs.
If I want to export this certificate then I cannot to select the private Key.
Under "Certificate Manager" "Personal" isn`t a certificate. I can create
under "Personal" my own certificate of efs, I open the "Internet explorer"
and my address of Root CA, for excample: http://servername/certsrv. I create
a certificate of efs with a "private Key" that can I export. Problem: If I
create a File on the Server und encryption this file, then will encrytion
this file with Certifivate under "Active Directory User Opject.
Why? Can I configure the CA, that takes my own Certificate?
Or, Can I of Administrator to create a Certificate with a "private key" of
export and this is available on the Domäne? Or I must delete the EFS-Template?
Thank you!

"Roland Hübner" schrieb:

> Hallo,
> I have a Windows 2000 Server with Active Directory and 10 Clients. Now, I
> want to Data encryption on the Server. I have installed on a Windwos 2000
> Server a CA. A User from a Workstation can encryption a File, this is ok. The
> User allocate gets the Certificate.
> Therewith, the System very safely the User want to safe the private key on
> a Disk.
> But, I cannot export the private key. This function cannot selected.
> What can I do, at the Private key to export?
Anonymous
June 8, 2005 1:55:18 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Keys can be marked as either exportable OR NOT, when
the certificate is created. It is part of the Certificate Policy
whether to allow the choice usually.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"Roland Hübner" <RolandHbner@discussions.microsoft.com> wrote in message
news:86145DEF-A4A9-4498-BDA0-4BC1D32650E8@microsoft.com...
> Hallo,
> I have installated on my Windows 2000 Server a "Enterprice root CA".
> I open the mmc on a Workstation with the Certificate Snap-In. I select
> "Certificate Manager" then "Active Directoy User Opject". Now, appears my
> Certificate of efs.
> If I want to export this certificate then I cannot to select the private
Key.
> Under "Certificate Manager" "Personal" isn`t a certificate. I can create
> under "Personal" my own certificate of efs, I open the "Internet explorer"
> and my address of Root CA, for excample: http://servername/certsrv. I
create
> a certificate of efs with a "private Key" that can I export. Problem: If I
> create a File on the Server und encryption this file, then will encrytion
> this file with Certifivate under "Active Directory User Opject.
> Why? Can I configure the CA, that takes my own Certificate?
> Or, Can I of Administrator to create a Certificate with a "private key" of
> export and this is available on the Domäne? Or I must delete the
EFS-Template?
> Thank you!
>
> "Roland Hübner" schrieb:
>
> > Hallo,
> > I have a Windows 2000 Server with Active Directory and 10 Clients. Now,
I
> > want to Data encryption on the Server. I have installed on a Windwos
2000
> > Server a CA. A User from a Workstation can encryption a File, this is
ok. The
> > User allocate gets the Certificate.
> > Therewith, the System very safely the User want to safe the private key
on
> > a Disk.
> > But, I cannot export the private key. This function cannot selected.
> > What can I do, at the Private key to export?
Anonymous
June 9, 2005 2:08:54 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I am not quite sure what you are trying to accomplish but to export an EFS
certificate and private key the user that "owns" that certificate/private
key needs to logon to the computer where the EFS certificate/private key
lives and then use mmc snapin for "certificates" - my user account and then
go to the personal\certificates folder. I don't know what you are trying to
do with Certificate Manager" then "Active Directory User Opject?? If you go
to a user account in Active Directory Users and Computers you can see the
certificates that are mapped in AD to a users account but that is the
"public key" only. You must export from the computer where the certificate
and the private key are shown via mmc snapin for my user account. ---
Steve


"Roland Hübner" <RolandHbner@discussions.microsoft.com> wrote in message
news:86145DEF-A4A9-4498-BDA0-4BC1D32650E8@microsoft.com...
> Hallo,
> I have installated on my Windows 2000 Server a "Enterprice root CA".
> I open the mmc on a Workstation with the Certificate Snap-In. I select
> "Certificate Manager" then "Active Directoy User Opject". Now, appears my
> Certificate of efs.
> If I want to export this certificate then I cannot to select the private
> Key.
> Under "Certificate Manager" "Personal" isn`t a certificate. I can create
> under "Personal" my own certificate of efs, I open the "Internet explorer"
> and my address of Root CA, for excample: http://servername/certsrv. I
> create
> a certificate of efs with a "private Key" that can I export. Problem: If I
> create a File on the Server und encryption this file, then will encrytion
> this file with Certifivate under "Active Directory User Opject.
> Why? Can I configure the CA, that takes my own Certificate?
> Or, Can I of Administrator to create a Certificate with a "private key" of
> export and this is available on the Domäne? Or I must delete the
> EFS-Template?
> Thank you!
>
> "Roland Hübner" schrieb:
>
>> Hallo,
>> I have a Windows 2000 Server with Active Directory and 10 Clients. Now, I
>> want to Data encryption on the Server. I have installed on a Windwos 2000
>> Server a CA. A User from a Workstation can encryption a File, this is ok.
>> The
>> User allocate gets the Certificate.
>> Therewith, the System very safely the User want to safe the private key
>> on
>> a Disk.
>> But, I cannot export the private key. This function cannot selected.
>> What can I do, at the Private key to export?
Anonymous
June 13, 2005 7:13:01 PM

Archived from groups: microsoft.public.win2000.security (More info?)

When a user encrypts a file remotely on a server, the EFS certificate/key is
generated for the user on the server. (A profile is created for the user on
the server and the certificate/key are stored in that profile.) If you want
to back up that certificate/key, you would have to log onto the server as the
user in order to access the profile data. (The certificate/private key can
only be backed up from the Certificates > Personal store for that user.) If
you configure your user to have a roaming profile, the server will use the
EFS certificate/key from the roaming profile (or generate a certificate/key
for that profile if it has none). The user will then be able to access the
same certificate/key from their roaming profile on their workstations and
back them up there.

Thanks.
Pat

--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Roland Hübner" wrote:

> Hallo,
> I have installated on my Windows 2000 Server a "Enterprice root CA".
> I open the mmc on a Workstation with the Certificate Snap-In. I select
> "Certificate Manager" then "Active Directoy User Opject". Now, appears my
> Certificate of efs.
> If I want to export this certificate then I cannot to select the private Key.
> Under "Certificate Manager" "Personal" isn`t a certificate. I can create
> under "Personal" my own certificate of efs, I open the "Internet explorer"
> and my address of Root CA, for excample: http://servername/certsrv. I create
> a certificate of efs with a "private Key" that can I export. Problem: If I
> create a File on the Server und encryption this file, then will encrytion
> this file with Certifivate under "Active Directory User Opject.
> Why? Can I configure the CA, that takes my own Certificate?
> Or, Can I of Administrator to create a Certificate with a "private key" of
> export and this is available on the Domäne? Or I must delete the EFS-Template?
> Thank you!
>
> "Roland Hübner" schrieb:
>
> > Hallo,
> > I have a Windows 2000 Server with Active Directory and 10 Clients. Now, I
> > want to Data encryption on the Server. I have installed on a Windwos 2000
> > Server a CA. A User from a Workstation can encryption a File, this is ok. The
> > User allocate gets the Certificate.
> > Therewith, the System very safely the User want to safe the private key on
> > a Disk.
> > But, I cannot export the private key. This function cannot selected.
> > What can I do, at the Private key to export?
Anonymous
June 14, 2005 3:09:21 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Pat Hoffer [MSFT]" <pathoff@online.microsoft.com> wrote in message
news:4214AEAA-ECFF-43D1-9750-579C73BFF54A@microsoft.com...
> When a user encrypts a file remotely on a server, the EFS certificate/key
is
> generated for the user on the server. (A profile is created for the user
on
> the server and the certificate/key are stored in that profile.)

The above is inaccurate or misleading at best.

A roaming profile might be created
on SOME server if you set it up that way, but the location of
the roaming profile is totally unrelated to the file server where
the user encrypts files.

If they happen to be the same server that is merely an accident
and never automatic (admin must setup for roaming profiles.)

> If you want
> to back up that certificate/key, you would have to log onto the server as
the
> user in order to access the profile data.

Login as the user is correct but you could logon from any machine
in the domain (trust relationship actually) where the profile was
available.

> (The certificate/private key can
> only be backed up from the Certificates > Personal store for that user.)
If
> you configure your user to have a roaming profile, the server will use the
> EFS certificate/key from the roaming profile (or generate a
certificate/key
> for that profile if it has none).

Actually this is the profile that will store the users file keys.

There is no separate profile just because of EFS.

> The user will then be able to access the
> same certificate/key from their roaming profile on their workstations and
> back them up there.

Are you saying a user with a non-roaming profile will actually
have a server specific certificate stored on that particular server?

Do you have a reference for this behavior...?

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> Thanks.
> Pat
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "Roland Hübner" wrote:
>
> > Hallo,
> > I have installated on my Windows 2000 Server a "Enterprice root CA".
> > I open the mmc on a Workstation with the Certificate Snap-In. I select
> > "Certificate Manager" then "Active Directoy User Opject". Now, appears
my
> > Certificate of efs.
> > If I want to export this certificate then I cannot to select the private
Key.
> > Under "Certificate Manager" "Personal" isn`t a certificate. I can create
> > under "Personal" my own certificate of efs, I open the "Internet
explorer"
> > and my address of Root CA, for excample: http://servername/certsrv. I
create
> > a certificate of efs with a "private Key" that can I export. Problem: If
I
> > create a File on the Server und encryption this file, then will
encrytion
> > this file with Certifivate under "Active Directory User Opject.
> > Why? Can I configure the CA, that takes my own Certificate?
> > Or, Can I of Administrator to create a Certificate with a "private key"
of
> > export and this is available on the Domäne? Or I must delete the
EFS-Template?
> > Thank you!
> >
> > "Roland Hübner" schrieb:
> >
> > > Hallo,
> > > I have a Windows 2000 Server with Active Directory and 10 Clients.
Now, I
> > > want to Data encryption on the Server. I have installed on a Windwos
2000
> > > Server a CA. A User from a Workstation can encryption a File, this is
ok. The
> > > User allocate gets the Certificate.
> > > Therewith, the System very safely the User want to safe the private
key on
> > > a Disk.
> > > But, I cannot export the private key. This function cannot selected.
> > > What can I do, at the Private key to export?
Anonymous
June 14, 2005 10:39:55 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <usZ7sbJcFHA.3844@tk2msftngp13.phx.gbl>, in the
microsoft.public.win2000.security news group, Herb Martin
<news@LearnQuick.com> says...

> "Pat Hoffer [MSFT]" <pathoff@online.microsoft.com> wrote in message
> news:4214AEAA-ECFF-43D1-9750-579C73BFF54A@microsoft.com...
> > When a user encrypts a file remotely on a server, the EFS certificate/key
> is
> > generated for the user on the server. (A profile is created for the user
> on
> > the server and the certificate/key are stored in that profile.)
>
> The above is inaccurate or misleading at best.

Actually, the above is completely accurate. What you've posted is
inaccurate or misleading at best.

>
> A roaming profile might be created
> on SOME server if you set it up that way, but the location of
> the roaming profile is totally unrelated to the file server where
> the user encrypts files.

Wrong. No one is talking about roaming user profiles here.
>
> If they happen to be the same server that is merely an accident
> and never automatic (admin must setup for roaming profiles.)

Wrong again.

>
> > If you want
> > to back up that certificate/key, you would have to log onto the server as
> the
> > user in order to access the profile data.
>
> Login as the user is correct but you could logon from any machine
> in the domain (trust relationship actually) where the profile was
> available.

Wrong again.

>
> > (The certificate/private key can
> > only be backed up from the Certificates > Personal store for that user.)
> If
> > you configure your user to have a roaming profile, the server will use the
> > EFS certificate/key from the roaming profile (or generate a
> certificate/key
> > for that profile if it has none).
>
> Actually this is the profile that will store the users file keys.
>
> There is no separate profile just because of EFS.

Wrong again.

>
> > The user will then be able to access the
> > same certificate/key from their roaming profile on their workstations and
> > back them up there.
>
> Are you saying a user with a non-roaming profile will actually
> have a server specific certificate stored on that particular server?
>
> Do you have a reference for this behavior...?

http://www.microsoft.com/resources/documentation/Window...
n-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-
us/prnb_efs_umpb.asp

or

http://tinyurl.com/c4ded


--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea
Anonymous
June 14, 2005 4:03:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Here's a deeper link:
http://www.microsoft.com/resources/documentation/Window...
Look under Ch 17 Encrypting File System > Remote EFS Operations... > Remote
EFS Operations in a File Share Environment.

Note that if you're using Web folders, rather than file shares, for remote
encryption, the encryption/decryption process takes place on the workstations
rather than the servers; so the EFS certificates/keys are generated and
stored in profiles on the workstations.

Thanks.
Pat
--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Paul Adare" wrote:

> In article <usZ7sbJcFHA.3844@tk2msftngp13.phx.gbl>, in the
> microsoft.public.win2000.security news group, Herb Martin
> <news@LearnQuick.com> says...
>
> > "Pat Hoffer [MSFT]" <pathoff@online.microsoft.com> wrote in message
> > news:4214AEAA-ECFF-43D1-9750-579C73BFF54A@microsoft.com...
> > > When a user encrypts a file remotely on a server, the EFS certificate/key
> > is
> > > generated for the user on the server. (A profile is created for the user
> > on
> > > the server and the certificate/key are stored in that profile.)
> >
> > The above is inaccurate or misleading at best.
>
> Actually, the above is completely accurate. What you've posted is
> inaccurate or misleading at best.
>
> >
> > A roaming profile might be created
> > on SOME server if you set it up that way, but the location of
> > the roaming profile is totally unrelated to the file server where
> > the user encrypts files.
>
> Wrong. No one is talking about roaming user profiles here.
> >
> > If they happen to be the same server that is merely an accident
> > and never automatic (admin must setup for roaming profiles.)
>
> Wrong again.
>
> >
> > > If you want
> > > to back up that certificate/key, you would have to log onto the server as
> > the
> > > user in order to access the profile data.
> >
> > Login as the user is correct but you could logon from any machine
> > in the domain (trust relationship actually) where the profile was
> > available.
>
> Wrong again.
>
> >
> > > (The certificate/private key can
> > > only be backed up from the Certificates > Personal store for that user.)
> > If
> > > you configure your user to have a roaming profile, the server will use the
> > > EFS certificate/key from the roaming profile (or generate a
> > certificate/key
> > > for that profile if it has none).
> >
> > Actually this is the profile that will store the users file keys.
> >
> > There is no separate profile just because of EFS.
>
> Wrong again.
>
> >
> > > The user will then be able to access the
> > > same certificate/key from their roaming profile on their workstations and
> > > back them up there.
> >
> > Are you saying a user with a non-roaming profile will actually
> > have a server specific certificate stored on that particular server?
> >
> > Do you have a reference for this behavior...?
>
> http://www.microsoft.com/resources/documentation/Window...
> n-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-
> us/prnb_efs_umpb.asp
>
> or
>
> http://tinyurl.com/c4ded
>
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern
> computer geeks finds it impossible to detect a joke that is not clearly
> labeled as such."
> Ray Shea
>
!