EFS and Certificate Services

Archived from groups: microsoft.public.win2000.security (More info?)

Ok I'm hopping that this is a bug in the software but in reality its realy
bugging me.

I created a Enterprise Root CA with a Enterprise Subordinate CA for issuing
EFS certificates. The Root CA is offline. The client, a 2000 pro machine,
is in the Domain and the user is a normal user of the domain (domain users)
and is in the administrators group on the local machine.

When the user encryptes a file a certificate from the Subordinate CA is
issue. I check the thumbprint of the file and the certificate which matched.
So far..so good. Then 5 minutes or so later a second certificate for EFS is
issued from the CA. This certificate has a different thumbprint and is never
used for EFS. Why the two certs? and how can I get only one!

PLEASE HELP!!!
--
RS
MCSE, MCP +I MCP
9 answers Last reply
More about certificate services
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Answers inline:

    In article <3659CB09-D379-4DC3-9C8C-2EF8690EF7D2@microsoft.com>,
    Rschraeger@discussions.microsoft.com says...
    > Ok I'm hopping that this is a bug in the software but in reality its realy
    > bugging me.
    >
    > I created a Enterprise Root CA with a Enterprise Subordinate CA for issuing
    > EFS certificates. The Root CA is offline.

    An Enterprise Root CA computer cannot be offline. An enterprise Root CA
    must be a domain member, and integrates with AD, not allowing it to be
    removed from the network.

    > The client, a 2000 pro machine, is in the Domain and the user is a normal user of the domain (domain users)
    > and is in the administrators group on the local machine.
    >

    No need to be in the local Administrators group

    > When the user encryptes a file a certificate from the Subordinate CA is
    > issue. I check the thumbprint of the file and the certificate which matched.
    > So far..so good. Then 5 minutes or so later a second certificate for EFS is
    > issued from the CA. This certificate has a different thumbprint and is never
    > used for EFS. Why the two certs? and how can I get only one!

    The best practice is to issue the certificates *before* any encryption
    is attempted. I would recommend a custom v2 certificate template that
    implements key archival. Ensure that it is deployed using CAPICOM before
    attempting encryption.

    Where are they doing the encryption? If they are issued a single
    certificate, the client should not request another certificate unless
    encryption is attempted on a remote server. In this case, another cert
    would be requested for storage in the user's profile on the remote
    server.

    >
    > PLEASE HELP!!!
    >

    --
    ==
    Brian Komar
    MVP - Windows - Security
    http://www.identit.ca/blogs/brian
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks for the responce.

    Why not take the root offline? Isn't it best practice to take the root
    offline after it has given it's cert to the sub. CA?

    Also this is a Windows 2000 CA so we can not do V2 certs.

    The user is encrpting a single file on their local machine which is joined
    to the domain. A EFS cert. is issued from the Sub. CA and 1 minute- 5
    minutes later a second EFS cert is issued. The first cert. is the one that
    is used for all encryption. The second one is not used.

    Question is why the two certs?

    I can't beleive this is the first time this has happended. I called MS and
    they were stumped on why this was happening. So far they say its a bug and
    do not know if there is a workaround.

    Come on I can't be the only one that is trying to use a CA to issue EFS
    certs on Windows 2000.
    --
    RS
    MCSE, MCP +I MCP


    "Brian Komar" wrote:

    > Answers inline:
    >
    > In article <3659CB09-D379-4DC3-9C8C-2EF8690EF7D2@microsoft.com>,
    > Rschraeger@discussions.microsoft.com says...
    > > Ok I'm hopping that this is a bug in the software but in reality its realy
    > > bugging me.
    > >
    > > I created a Enterprise Root CA with a Enterprise Subordinate CA for issuing
    > > EFS certificates. The Root CA is offline.
    >
    > An Enterprise Root CA computer cannot be offline. An enterprise Root CA
    > must be a domain member, and integrates with AD, not allowing it to be
    > removed from the network.
    >
    > > The client, a 2000 pro machine, is in the Domain and the user is a normal user of the domain (domain users)
    > > and is in the administrators group on the local machine.
    > >
    >
    > No need to be in the local Administrators group
    >
    > > When the user encryptes a file a certificate from the Subordinate CA is
    > > issue. I check the thumbprint of the file and the certificate which matched.
    > > So far..so good. Then 5 minutes or so later a second certificate for EFS is
    > > issued from the CA. This certificate has a different thumbprint and is never
    > > used for EFS. Why the two certs? and how can I get only one!
    >
    > The best practice is to issue the certificates *before* any encryption
    > is attempted. I would recommend a custom v2 certificate template that
    > implements key archival. Ensure that it is deployed using CAPICOM before
    > attempting encryption.
    >
    > Where are they doing the encryption? If they are issued a single
    > certificate, the client should not request another certificate unless
    > encryption is attempted on a remote server. In this case, another cert
    > would be requested for storage in the user's profile on the remote
    > server.
    >
    > >
    > > PLEASE HELP!!!
    > >
    >
    > --
    > ==
    > Brian Komar
    > MVP - Windows - Security
    > http://www.identit.ca/blogs/brian
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <E0088E0E-D95F-49B9-98FC-7D514C2586C6@microsoft.com>, in the
    microsoft.public.win2000.security news group, =?Utf-8?B?
    UnNjaHJhZWdlcg==?= <Rschraeger@discussions.microsoft.com> says...

    > Why not take the root offline? Isn't it best practice to take the root
    > offline after it has given it's cert to the sub. CA?
    >

    A standalone root should be taken offline yes, not an Enterprise Root.
    By definition, an Enterprise Root needs access to Active Directory and
    therefore needs to remain online.

    --
    Paul Adare
    MVP - Windows - Virtual Machine
    http://www.identit.ca/blogs/paul/
    "The English language, complete with irony, satire, and sarcasm, has
    survived for centuries without smileys. Only the new crop of modern
    computer geeks finds it impossible to detect a joke that is not clearly
    labeled as such."
    Ray Shea
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    I thought the root CA was suppose to be take offline for security reasons.
    Is it then better to deploy a standalone root CA with a enterprise sub. CA?
    Is that even possible?
    --
    RS
    MCSE, MCP +I MCP


    "Paul Adare" wrote:

    > In article <E0088E0E-D95F-49B9-98FC-7D514C2586C6@microsoft.com>, in the
    > microsoft.public.win2000.security news group, =?Utf-8?B?
    > UnNjaHJhZWdlcg==?= <Rschraeger@discussions.microsoft.com> says...
    >
    > > Why not take the root offline? Isn't it best practice to take the root
    > > offline after it has given it's cert to the sub. CA?
    > >
    >
    > A standalone root should be taken offline yes, not an Enterprise Root.
    > By definition, an Enterprise Root needs access to Active Directory and
    > therefore needs to remain online.
    >
    > --
    > Paul Adare
    > MVP - Windows - Virtual Machine
    > http://www.identit.ca/blogs/paul/
    > "The English language, complete with irony, satire, and sarcasm, has
    > survived for centuries without smileys. Only the new crop of modern
    > computer geeks finds it impossible to detect a joke that is not clearly
    > labeled as such."
    > Ray Shea
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <4784A3B5-D2C8-4FCF-B5F0-46BBAE6DE5C8@microsoft.com>, in the
    microsoft.public.win2000.security news group, =?Utf-8?B?
    UnNjaHJhZWdlcg==?= <Rschraeger@discussions.microsoft.com> says...

    > I thought the root CA was suppose to be take offline for security reasons.
    > Is it then better to deploy a standalone root CA with a enterprise sub. CA?
    > Is that even possible?
    >

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
    ies/security/ws3pkibp.mspx

    or

    http://tinyurl.com/28cjx

    I'd strongly suggest that you look into taking some training. A PKI that
    is improperly deployed and secured is worse than not having one at all.

    http://www.microsoft.com/learning/syllabi/en-us/2821Afinal.mspx

    --
    Paul Adare
    MVP - Windows - Virtual Machine
    http://www.identit.ca/blogs/paul/
    "The English language, complete with irony, satire, and sarcasm, has
    survived for centuries without smileys. Only the new crop of modern
    computer geeks finds it impossible to detect a joke that is not clearly
    labeled as such."
    Ray Shea
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Paul,

    I appreaciate your concern for my training but I beleive that I have all the
    training I need. I was only looking for clarification on a few items and for
    some reason the Enterprise root CA slipped my mind a little.

    I think it is because I'm battleing this problem with multiple certificates
    being issued. At this time I can reproduce the problem on a enterprise CA
    (yes its online) issuing certs to clients. Yes I also know that Enterprise
    CA's should not be issuing certs to clients. Again this is only testing.
    Anyway the clients recieve multiple EFS certs from the CA. Looking at the
    Certificate requests the clients is requesting a EFS cert...which the ca
    gives to the clients then the client requests another.


    --
    RS
    MCSE, MCP +I MCP


    "Paul Adare" wrote:

    > In article <4784A3B5-D2C8-4FCF-B5F0-46BBAE6DE5C8@microsoft.com>, in the
    > microsoft.public.win2000.security news group, =?Utf-8?B?
    > UnNjaHJhZWdlcg==?= <Rschraeger@discussions.microsoft.com> says...
    >
    > > I thought the root CA was suppose to be take offline for security reasons.
    > > Is it then better to deploy a standalone root CA with a enterprise sub. CA?
    > > Is that even possible?
    > >
    >
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
    > ies/security/ws3pkibp.mspx
    >
    > or
    >
    > http://tinyurl.com/28cjx
    >
    > I'd strongly suggest that you look into taking some training. A PKI that
    > is improperly deployed and secured is worse than not having one at all.
    >
    > http://www.microsoft.com/learning/syllabi/en-us/2821Afinal.mspx
    >
    > --
    > Paul Adare
    > MVP - Windows - Virtual Machine
    > http://www.identit.ca/blogs/paul/
    > "The English language, complete with irony, satire, and sarcasm, has
    > survived for centuries without smileys. Only the new crop of modern
    > computer geeks finds it impossible to detect a joke that is not clearly
    > labeled as such."
    > Ray Shea
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <13FC1DA3-FB08-4DEA-8384-D2DAF0D1DAF9@microsoft.com>,
    Rschraeger@discussions.microsoft.com says...
    > Paul,
    >
    > I appreaciate your concern for my training but I beleive that I have all the
    > training I need. I was only looking for clarification on a few items and for
    > some reason the Enterprise root CA slipped my mind a little.
    >
    > I think it is because I'm battleing this problem with multiple certificates
    > being issued. At this time I can reproduce the problem on a enterprise CA
    > (yes its online) issuing certs to clients. Yes I also know that Enterprise
    > CA's should not be issuing certs to clients. Again this is only testing.
    > Anyway the clients recieve multiple EFS certs from the CA. Looking at the
    > Certificate requests the clients is requesting a EFS cert...which the ca
    > gives to the clients then the client requests another.
    >
    >
    >
    Where are you seeing the second certificate, in the Certification
    Authority console or in the User's Certificate console.

    I am wondering whether the certificates are issued to the same user
    profile, or to multiple computers.

    Brian
    --
    ==
    Brian Komar
    MVP - Windows - Security
    http://www.identit.ca/blogs/brian
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    --
    RS
    MCSE, MCP +I MCP


    "Brian Komar" wrote:

    > In article <13FC1DA3-FB08-4DEA-8384-D2DAF0D1DAF9@microsoft.com>,
    > Rschraeger@discussions.microsoft.com says...
    > > Paul,
    > >
    > > I appreaciate your concern for my training but I beleive that I have all the
    > > training I need. I was only looking for clarification on a few items and for
    > > some reason the Enterprise root CA slipped my mind a little.
    > >
    > > I think it is because I'm battleing this problem with multiple certificates
    > > being issued. At this time I can reproduce the problem on a enterprise CA
    > > (yes its online) issuing certs to clients. Yes I also know that Enterprise
    > > CA's should not be issuing certs to clients. Again this is only testing.
    > > Anyway the clients recieve multiple EFS certs from the CA. Looking at the
    > > Certificate requests the clients is requesting a EFS cert...which the ca
    > > gives to the clients then the client requests another.
    > >
    > >
    > >
    > Where are you seeing the second certificate, in the Certification
    > Authority console or in the User's Certificate console.
    >
    > I am wondering whether the certificates are issued to the same user
    > profile, or to multiple computers.
    >
    > Brian
    > --
    > ==
    > Brian Komar
    > MVP - Windows - Security
    > http://www.identit.ca/blogs/brian
    >
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    Brian,

    The certificates show up in the Certificate services and are also viewable
    from in the users Personal Store.

    I called Micrsoft and had a lengthy troubleshooting session with them. This
    was their responce

    "There was a bug submitted on this issue and the development team is not
    going to fix this for Windows 2000. This is however fixed in Windows
    XP. I will be sending another email with the response from the
    development team. The issue is that there is a bug in the autoenrollment
    code
    causing it to pull a second certificate unnecessarily. Although 2000
    clients cannot use autoenrollment to autoenroll for certificates the code
    is still there and some certs are flagged as available for
    autoenrollment. ACRS (Automated Certificate Request Settinggs) is used by
    2000.
    EFS has created an ACRS but Autoenrollment doesn't realize that a
    certificate has been enrolled for already. This is what is causing the
    second certificate to appear.

    Thank you and look forward to hearing from you.

    Then this responce from the development team

    "The request that the certificate auto enrollment behavior for Windows
    2000 be changed has been reviewed by senior Microsoft support
    professionals, escalation engineers, developers, and managers. We
    understand the
    impact this has to your business.

    Microsoft assures that there is no loss in functionality on account of
    the second certificate behavior. This behavior is present in Windows
    2000 from day one. This behavior does not occur in XP or Server 2003
    where the AE (auto enrollment) code has been rewritten. There are valid
    usage scenarios on Win2000 today where customers benefit from the existing
    behavior. To fix this issue in Win2K properly, without breaking any
    existing customer scenarios or applications, we have to back port the new
    code from WinXP which requires significant development and testing
    resources. This would result in significant code change and creates a risk
    of regressions to very a critical code path.

    Given the details above, we regret that we are not be able to make this
    change. Please let us know if you have further questions.

    --
    RS
    MCSE, MCP +I MCP


    "Brian Komar" wrote:

    > In article <13FC1DA3-FB08-4DEA-8384-D2DAF0D1DAF9@microsoft.com>,
    > Rschraeger@discussions.microsoft.com says...
    > > Paul,
    > >
    > > I appreaciate your concern for my training but I beleive that I have all the
    > > training I need. I was only looking for clarification on a few items and for
    > > some reason the Enterprise root CA slipped my mind a little.
    > >
    > > I think it is because I'm battleing this problem with multiple certificates
    > > being issued. At this time I can reproduce the problem on a enterprise CA
    > > (yes its online) issuing certs to clients. Yes I also know that Enterprise
    > > CA's should not be issuing certs to clients. Again this is only testing.
    > > Anyway the clients recieve multiple EFS certs from the CA. Looking at the
    > > Certificate requests the clients is requesting a EFS cert...which the ca
    > > gives to the clients then the client requests another.
    > >
    > >
    > >
    > Where are you seeing the second certificate, in the Certification
    > Authority console or in the User's Certificate console.
    >
    > I am wondering whether the certificates are issued to the same user
    > profile, or to multiple computers.
    >
    > Brian
    > --
    > ==
    > Brian Komar
    > MVP - Windows - Security
    > http://www.identit.ca/blogs/brian
    >
Ask a new question

Read More

Domain Certificate Enterprise Windows