EFS

Archived from groups: microsoft.public.win2000.security (More info?)

Hallo,
I have a Windows 2000 Server with Active Directory and 10 Clients. Now, I
want to Data encryption on the Server. I have installed on a Windwos 2000
Server a CA. A User from a Workstation can encryption a File, this is ok. The
User allocate gets the Certificate.
Therewith, the System very safely the User want to safe the private key on
a Disk.
But, I cannot export the private key. This function cannot selected.
What can I do, at the Private key to export?
9 answers Last reply
More about tomshardware
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    "Roland Hübner" <Roland Hbner@discussions.microsoft.com> wrote in message
    news:09A6E48F-FE98-4392-8DD1-524ACBEA3FFC@microsoft.com...
    > Hallo,
    > I have a Windows 2000 Server with Active Directory and 10 Clients. Now, I
    > want to Data encryption on the Server. I have installed on a Windwos 2000
    > Server a CA.

    Is it an "Enterprise CA" ? A stand-alone CA cannot auto-issue
    the domain certificates for EFS.

    Microsoft SHOULD have named 'Enterprise' as an AD CA or
    as an AD-Enterprise CA to help explain this key point.

    >A User from a Workstation can encryption a File, this is ok. The
    > User allocate gets the Certificate.
    > Therewith, the System very safely the User want to safe the private key
    on
    > a Disk.

    The default policy for these keys is not "exportable" that can be
    changed. Search Google for "changing certificate policy" and "exportable"
    or some such.

    > But, I cannot export the private key. This function cannot selected.
    > What can I do, at the Private key to export?

    You cannot export that key, but you can change the policy and
    issue new certificates.

    BTW, WHY do you wish to allow the certificates to be exported?

    There are reasons, but there are also significant security risks and
    we might be able to solve the "real problem" another (better) way....

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    You can not export the private key for the user they must do that
    themselves. While the user is logged on have them use the mmc snapin for
    certificates for "user" and go to their personal/certificates folder. When
    they find their certificate for Encrypted File System [or possibly user
    certificate] have them right click the certificate, select all tasks and
    export. The certificate used for EFS should have the ability to export their
    private key [assuming the private key is present] unless at one time the
    user exported and deleted it and then when importing it back into their
    computer did not select the option to allow the private key to be exported.
    The link below may be of help and see the section for how to backup your
    certificate though it shows how to do such via Internet Explorer as another
    possible way to do it.--- Steve

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316

    "Roland Hübner" <Roland Hübner@discussions.microsoft.com> wrote in message
    news:09A6E48F-FE98-4392-8DD1-524ACBEA3FFC@microsoft.com...
    > Hallo,
    > I have a Windows 2000 Server with Active Directory and 10 Clients. Now, I
    > want to Data encryption on the Server. I have installed on a Windwos 2000
    > Server a CA. A User from a Workstation can encryption a File, this is ok.
    > The
    > User allocate gets the Certificate.
    > Therewith, the System very safely the User want to safe the private key
    > on
    > a Disk.
    > But, I cannot export the private key. This function cannot selected.
    > What can I do, at the Private key to export?
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hallo,
    I have installated on my Windows 2000 Server a "Enterprice root CA".
    I open the mmc on a Workstation with the Certificate Snap-In. I select
    "Certificate Manager" then "Active Directoy User Opject". Now, appears my
    Certificate of efs.
    If I want to export this certificate then I cannot to select the private Key.
    Under "Certificate Manager" "Personal" isn`t a certificate. I can create
    under "Personal" my own certificate of efs, I open the "Internet explorer"
    and my address of Root CA, for excample: http://servername/certsrv. I create
    a certificate of efs with a "private Key" that can I export. Problem: If I
    create a File on the Server und encryption this file, then will encrytion
    this file with Certifivate under "Active Directory User Opject.
    Why? Can I configure the CA, that takes my own Certificate?
    Or, Can I of Administrator to create a Certificate with a "private key" of
    export and this is available on the Domäne? Or I must delete the EFS-Template?
    Thank you!

    "Roland Hübner" schrieb:

    > Hallo,
    > I have a Windows 2000 Server with Active Directory and 10 Clients. Now, I
    > want to Data encryption on the Server. I have installed on a Windwos 2000
    > Server a CA. A User from a Workstation can encryption a File, this is ok. The
    > User allocate gets the Certificate.
    > Therewith, the System very safely the User want to safe the private key on
    > a Disk.
    > But, I cannot export the private key. This function cannot selected.
    > What can I do, at the Private key to export?
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Keys can be marked as either exportable OR NOT, when
    the certificate is created. It is part of the Certificate Policy
    whether to allow the choice usually.

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    "Roland Hübner" <RolandHbner@discussions.microsoft.com> wrote in message
    news:86145DEF-A4A9-4498-BDA0-4BC1D32650E8@microsoft.com...
    > Hallo,
    > I have installated on my Windows 2000 Server a "Enterprice root CA".
    > I open the mmc on a Workstation with the Certificate Snap-In. I select
    > "Certificate Manager" then "Active Directoy User Opject". Now, appears my
    > Certificate of efs.
    > If I want to export this certificate then I cannot to select the private
    Key.
    > Under "Certificate Manager" "Personal" isn`t a certificate. I can create
    > under "Personal" my own certificate of efs, I open the "Internet explorer"
    > and my address of Root CA, for excample: http://servername/certsrv. I
    create
    > a certificate of efs with a "private Key" that can I export. Problem: If I
    > create a File on the Server und encryption this file, then will encrytion
    > this file with Certifivate under "Active Directory User Opject.
    > Why? Can I configure the CA, that takes my own Certificate?
    > Or, Can I of Administrator to create a Certificate with a "private key" of
    > export and this is available on the Domäne? Or I must delete the
    EFS-Template?
    > Thank you!
    >
    > "Roland Hübner" schrieb:
    >
    > > Hallo,
    > > I have a Windows 2000 Server with Active Directory and 10 Clients. Now,
    I
    > > want to Data encryption on the Server. I have installed on a Windwos
    2000
    > > Server a CA. A User from a Workstation can encryption a File, this is
    ok. The
    > > User allocate gets the Certificate.
    > > Therewith, the System very safely the User want to safe the private key
    on
    > > a Disk.
    > > But, I cannot export the private key. This function cannot selected.
    > > What can I do, at the Private key to export?
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    I am not quite sure what you are trying to accomplish but to export an EFS
    certificate and private key the user that "owns" that certificate/private
    key needs to logon to the computer where the EFS certificate/private key
    lives and then use mmc snapin for "certificates" - my user account and then
    go to the personal\certificates folder. I don't know what you are trying to
    do with Certificate Manager" then "Active Directory User Opject?? If you go
    to a user account in Active Directory Users and Computers you can see the
    certificates that are mapped in AD to a users account but that is the
    "public key" only. You must export from the computer where the certificate
    and the private key are shown via mmc snapin for my user account. ---
    Steve


    "Roland Hübner" <RolandHbner@discussions.microsoft.com> wrote in message
    news:86145DEF-A4A9-4498-BDA0-4BC1D32650E8@microsoft.com...
    > Hallo,
    > I have installated on my Windows 2000 Server a "Enterprice root CA".
    > I open the mmc on a Workstation with the Certificate Snap-In. I select
    > "Certificate Manager" then "Active Directoy User Opject". Now, appears my
    > Certificate of efs.
    > If I want to export this certificate then I cannot to select the private
    > Key.
    > Under "Certificate Manager" "Personal" isn`t a certificate. I can create
    > under "Personal" my own certificate of efs, I open the "Internet explorer"
    > and my address of Root CA, for excample: http://servername/certsrv. I
    > create
    > a certificate of efs with a "private Key" that can I export. Problem: If I
    > create a File on the Server und encryption this file, then will encrytion
    > this file with Certifivate under "Active Directory User Opject.
    > Why? Can I configure the CA, that takes my own Certificate?
    > Or, Can I of Administrator to create a Certificate with a "private key" of
    > export and this is available on the Domäne? Or I must delete the
    > EFS-Template?
    > Thank you!
    >
    > "Roland Hübner" schrieb:
    >
    >> Hallo,
    >> I have a Windows 2000 Server with Active Directory and 10 Clients. Now, I
    >> want to Data encryption on the Server. I have installed on a Windwos 2000
    >> Server a CA. A User from a Workstation can encryption a File, this is ok.
    >> The
    >> User allocate gets the Certificate.
    >> Therewith, the System very safely the User want to safe the private key
    >> on
    >> a Disk.
    >> But, I cannot export the private key. This function cannot selected.
    >> What can I do, at the Private key to export?
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    When a user encrypts a file remotely on a server, the EFS certificate/key is
    generated for the user on the server. (A profile is created for the user on
    the server and the certificate/key are stored in that profile.) If you want
    to back up that certificate/key, you would have to log onto the server as the
    user in order to access the profile data. (The certificate/private key can
    only be backed up from the Certificates > Personal store for that user.) If
    you configure your user to have a roaming profile, the server will use the
    EFS certificate/key from the roaming profile (or generate a certificate/key
    for that profile if it has none). The user will then be able to access the
    same certificate/key from their roaming profile on their workstations and
    back them up there.

    Thanks.
    Pat

    --
    This posting is provided "AS IS" with no warranties, and confers no rights.


    "Roland Hübner" wrote:

    > Hallo,
    > I have installated on my Windows 2000 Server a "Enterprice root CA".
    > I open the mmc on a Workstation with the Certificate Snap-In. I select
    > "Certificate Manager" then "Active Directoy User Opject". Now, appears my
    > Certificate of efs.
    > If I want to export this certificate then I cannot to select the private Key.
    > Under "Certificate Manager" "Personal" isn`t a certificate. I can create
    > under "Personal" my own certificate of efs, I open the "Internet explorer"
    > and my address of Root CA, for excample: http://servername/certsrv. I create
    > a certificate of efs with a "private Key" that can I export. Problem: If I
    > create a File on the Server und encryption this file, then will encrytion
    > this file with Certifivate under "Active Directory User Opject.
    > Why? Can I configure the CA, that takes my own Certificate?
    > Or, Can I of Administrator to create a Certificate with a "private key" of
    > export and this is available on the Domäne? Or I must delete the EFS-Template?
    > Thank you!
    >
    > "Roland Hübner" schrieb:
    >
    > > Hallo,
    > > I have a Windows 2000 Server with Active Directory and 10 Clients. Now, I
    > > want to Data encryption on the Server. I have installed on a Windwos 2000
    > > Server a CA. A User from a Workstation can encryption a File, this is ok. The
    > > User allocate gets the Certificate.
    > > Therewith, the System very safely the User want to safe the private key on
    > > a Disk.
    > > But, I cannot export the private key. This function cannot selected.
    > > What can I do, at the Private key to export?
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    "Pat Hoffer [MSFT]" <pathoff@online.microsoft.com> wrote in message
    news:4214AEAA-ECFF-43D1-9750-579C73BFF54A@microsoft.com...
    > When a user encrypts a file remotely on a server, the EFS certificate/key
    is
    > generated for the user on the server. (A profile is created for the user
    on
    > the server and the certificate/key are stored in that profile.)

    The above is inaccurate or misleading at best.

    A roaming profile might be created
    on SOME server if you set it up that way, but the location of
    the roaming profile is totally unrelated to the file server where
    the user encrypts files.

    If they happen to be the same server that is merely an accident
    and never automatic (admin must setup for roaming profiles.)

    > If you want
    > to back up that certificate/key, you would have to log onto the server as
    the
    > user in order to access the profile data.

    Login as the user is correct but you could logon from any machine
    in the domain (trust relationship actually) where the profile was
    available.

    > (The certificate/private key can
    > only be backed up from the Certificates > Personal store for that user.)
    If
    > you configure your user to have a roaming profile, the server will use the
    > EFS certificate/key from the roaming profile (or generate a
    certificate/key
    > for that profile if it has none).

    Actually this is the profile that will store the users file keys.

    There is no separate profile just because of EFS.

    > The user will then be able to access the
    > same certificate/key from their roaming profile on their workstations and
    > back them up there.

    Are you saying a user with a non-roaming profile will actually
    have a server specific certificate stored on that particular server?

    Do you have a reference for this behavior...?

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    >
    > Thanks.
    > Pat
    >
    > --
    > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    >
    >
    > "Roland Hübner" wrote:
    >
    > > Hallo,
    > > I have installated on my Windows 2000 Server a "Enterprice root CA".
    > > I open the mmc on a Workstation with the Certificate Snap-In. I select
    > > "Certificate Manager" then "Active Directoy User Opject". Now, appears
    my
    > > Certificate of efs.
    > > If I want to export this certificate then I cannot to select the private
    Key.
    > > Under "Certificate Manager" "Personal" isn`t a certificate. I can create
    > > under "Personal" my own certificate of efs, I open the "Internet
    explorer"
    > > and my address of Root CA, for excample: http://servername/certsrv. I
    create
    > > a certificate of efs with a "private Key" that can I export. Problem: If
    I
    > > create a File on the Server und encryption this file, then will
    encrytion
    > > this file with Certifivate under "Active Directory User Opject.
    > > Why? Can I configure the CA, that takes my own Certificate?
    > > Or, Can I of Administrator to create a Certificate with a "private key"
    of
    > > export and this is available on the Domäne? Or I must delete the
    EFS-Template?
    > > Thank you!
    > >
    > > "Roland Hübner" schrieb:
    > >
    > > > Hallo,
    > > > I have a Windows 2000 Server with Active Directory and 10 Clients.
    Now, I
    > > > want to Data encryption on the Server. I have installed on a Windwos
    2000
    > > > Server a CA. A User from a Workstation can encryption a File, this is
    ok. The
    > > > User allocate gets the Certificate.
    > > > Therewith, the System very safely the User want to safe the private
    key on
    > > > a Disk.
    > > > But, I cannot export the private key. This function cannot selected.
    > > > What can I do, at the Private key to export?
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <usZ7sbJcFHA.3844@tk2msftngp13.phx.gbl>, in the
    microsoft.public.win2000.security news group, Herb Martin
    <news@LearnQuick.com> says...

    > "Pat Hoffer [MSFT]" <pathoff@online.microsoft.com> wrote in message
    > news:4214AEAA-ECFF-43D1-9750-579C73BFF54A@microsoft.com...
    > > When a user encrypts a file remotely on a server, the EFS certificate/key
    > is
    > > generated for the user on the server. (A profile is created for the user
    > on
    > > the server and the certificate/key are stored in that profile.)
    >
    > The above is inaccurate or misleading at best.

    Actually, the above is completely accurate. What you've posted is
    inaccurate or misleading at best.

    >
    > A roaming profile might be created
    > on SOME server if you set it up that way, but the location of
    > the roaming profile is totally unrelated to the file server where
    > the user encrypts files.

    Wrong. No one is talking about roaming user profiles here.
    >
    > If they happen to be the same server that is merely an accident
    > and never automatic (admin must setup for roaming profiles.)

    Wrong again.

    >
    > > If you want
    > > to back up that certificate/key, you would have to log onto the server as
    > the
    > > user in order to access the profile data.
    >
    > Login as the user is correct but you could logon from any machine
    > in the domain (trust relationship actually) where the profile was
    > available.

    Wrong again.

    >
    > > (The certificate/private key can
    > > only be backed up from the Certificates > Personal store for that user.)
    > If
    > > you configure your user to have a roaming profile, the server will use the
    > > EFS certificate/key from the roaming profile (or generate a
    > certificate/key
    > > for that profile if it has none).
    >
    > Actually this is the profile that will store the users file keys.
    >
    > There is no separate profile just because of EFS.

    Wrong again.

    >
    > > The user will then be able to access the
    > > same certificate/key from their roaming profile on their workstations and
    > > back them up there.
    >
    > Are you saying a user with a non-roaming profile will actually
    > have a server specific certificate stored on that particular server?
    >
    > Do you have a reference for this behavior...?

    http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/e
    n-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-
    us/prnb_efs_umpb.asp

    or

    http://tinyurl.com/c4ded


    --
    Paul Adare
    MVP - Windows - Virtual Machine
    http://www.identit.ca/blogs/paul/
    "The English language, complete with irony, satire, and sarcasm, has
    survived for centuries without smileys. Only the new crop of modern
    computer geeks finds it impossible to detect a joke that is not clearly
    labeled as such."
    Ray Shea
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    Here's a deeper link:
    http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_hzqx.asp
    Look under Ch 17 Encrypting File System > Remote EFS Operations... > Remote
    EFS Operations in a File Share Environment.

    Note that if you're using Web folders, rather than file shares, for remote
    encryption, the encryption/decryption process takes place on the workstations
    rather than the servers; so the EFS certificates/keys are generated and
    stored in profiles on the workstations.

    Thanks.
    Pat
    --
    This posting is provided "AS IS" with no warranties, and confers no rights.


    "Paul Adare" wrote:

    > In article <usZ7sbJcFHA.3844@tk2msftngp13.phx.gbl>, in the
    > microsoft.public.win2000.security news group, Herb Martin
    > <news@LearnQuick.com> says...
    >
    > > "Pat Hoffer [MSFT]" <pathoff@online.microsoft.com> wrote in message
    > > news:4214AEAA-ECFF-43D1-9750-579C73BFF54A@microsoft.com...
    > > > When a user encrypts a file remotely on a server, the EFS certificate/key
    > > is
    > > > generated for the user on the server. (A profile is created for the user
    > > on
    > > > the server and the certificate/key are stored in that profile.)
    > >
    > > The above is inaccurate or misleading at best.
    >
    > Actually, the above is completely accurate. What you've posted is
    > inaccurate or misleading at best.
    >
    > >
    > > A roaming profile might be created
    > > on SOME server if you set it up that way, but the location of
    > > the roaming profile is totally unrelated to the file server where
    > > the user encrypts files.
    >
    > Wrong. No one is talking about roaming user profiles here.
    > >
    > > If they happen to be the same server that is merely an accident
    > > and never automatic (admin must setup for roaming profiles.)
    >
    > Wrong again.
    >
    > >
    > > > If you want
    > > > to back up that certificate/key, you would have to log onto the server as
    > > the
    > > > user in order to access the profile data.
    > >
    > > Login as the user is correct but you could logon from any machine
    > > in the domain (trust relationship actually) where the profile was
    > > available.
    >
    > Wrong again.
    >
    > >
    > > > (The certificate/private key can
    > > > only be backed up from the Certificates > Personal store for that user.)
    > > If
    > > > you configure your user to have a roaming profile, the server will use the
    > > > EFS certificate/key from the roaming profile (or generate a
    > > certificate/key
    > > > for that profile if it has none).
    > >
    > > Actually this is the profile that will store the users file keys.
    > >
    > > There is no separate profile just because of EFS.
    >
    > Wrong again.
    >
    > >
    > > > The user will then be able to access the
    > > > same certificate/key from their roaming profile on their workstations and
    > > > back them up there.
    > >
    > > Are you saying a user with a non-roaming profile will actually
    > > have a server specific certificate stored on that particular server?
    > >
    > > Do you have a reference for this behavior...?
    >
    > http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/e
    > n-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-
    > us/prnb_efs_umpb.asp
    >
    > or
    >
    > http://tinyurl.com/c4ded
    >
    >
    > --
    > Paul Adare
    > MVP - Windows - Virtual Machine
    > http://www.identit.ca/blogs/paul/
    > "The English language, complete with irony, satire, and sarcasm, has
    > survived for centuries without smileys. Only the new crop of modern
    > computer geeks finds it impossible to detect a joke that is not clearly
    > labeled as such."
    > Ray Shea
    >
Ask a new question

Read More

Servers Windows Product