W08 Enterprise EFS Recovery
- I'm trying to decrypt EFS encrypted file using recovery agent, but I keep getting access denied. The system is Win Server 2008 Enterprise, AD DS, and AD CS with Enterprise Root CA running. In the default domain policy, the encrypting file system policy has the administrator/domain admin cert that is issed by the enterprise root CA.
Looking at the file's encryption properties details, I can see the user's cert issued by the root CA, as well as the recovery cert by the recovery policy, with matching cert thumb print with the one in the group policy.
The mmc user certificate contains the EFS File Recovery certificate (installed by default in the Root CA domain controller). When attempting to decrypt the file from that machine, I get access denied error.
I exported the EFS Recovery certificate private key from the DC and imported to the workstation, logged in as the domain admin account, double checked the mmc to see I have the EFS RA cert private key. I still can't disable the encryption on the file, with access denied error.
This doesn't make any sense since the GPO has the EFS RA assigned, the file detail contains the EFS RA with matching thumbprint.
What am I missing here?
Answers
- Hi,
Did you choose "Enable Strong Private Key Protection" when importing DRA key? If so, please try to remove this option and try to import it again.
In order to remove the DRA certificate and private key, export the certificate with the Private key and choose the option “Delete the private key if the export is successful".
Try to import again.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byMervyn ZhangMSFT, ModeratorMonday, November 16, 2009 3:11 AM
All Replies
- use CIPHER to determine the exact certificate Thumbprints and compare this with the Recovery Agent's certificates in his own private certificate store by using CERTMGR.MSC. The subject names are not sufficient to determine whether the certificate used as the recovery agent on a file is really the certificate found in the recovery agent's profile
ondrej.- Proposed As Answer byVadims PodansMVPMonday, November 09, 2009 9:52 AM
- Unproposed As Answer bygudel Monday, November 09, 2009 7:45 PM
- as I mentioned earlier, the thumbprint matches with the RA's cert, so the recovery cert is not the issue since it's gpo deployed. all thumbprints match.
- Hi,
Did you choose "Enable Strong Private Key Protection" when importing DRA key? If so, please try to remove this option and try to import it again.
In order to remove the DRA certificate and private key, export the certificate with the Private key and choose the option “Delete the private key if the export is successful".
Try to import again.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byMervyn ZhangMSFT, ModeratorMonday, November 16, 2009 3:11 AM
