locked
Access Denied when trying to open a file that is encrypted on network share with EFS RRS feed

  • Question

  • I just recently enabled EFS on the default domain policy and created a new network share, encrypted a file and added myself to that file and tried to open the file from my workstation.  I then receive an error "Access denied", I also tried to create a file and encrypt it on that same share and get an error "The requested operation cannot be completed.  The computer must be trusted for delegation and the current user account must be configured to allow delegation."  

    My steps.

    1. Enable group policy for EFS, removed the expired certificate that was already there and Created a new Data recovery agent.

    2. Created a network share, created a test file, enabled encryption on the file 

    3. certmgr.msc, personal and requested a new certificate, Basic EFS

    4. On the network share and properties of file, advanced, details and added the user

    5. from the workstation tried to access the file, Access Denied.  I can create any file I won't just can't add attributes to encrypt the file or open an encrypted file

    Now if I go to the server where the CA is located which is also the AD server and create share and run the same process it works as expected.  I'm guessing I have to export the cert from the CA server as a pfx and import that to both the server that has the network share and the workstation but that still doesn't seem to work.  Maybe I don't understand how EFS works and this is not possible?  Any suggestions would be appreciated.

    Monday, March 30, 2015 2:41 PM

Answers

  • You are correct in not understanding how EFS works.

    When you connect to an encrypted file via a network share, the encryption/decryption takes place *on* the server. To enable over the network access, the server's computer account must be trusted for delegation.

    The server actually impersonates the user and creates a user profile on the server (containing the defined EFS certificate and private key). The important thing to remember is that the files is transmitted in clear text from the server to the client.

    See http://blogs.technet.com/b/instan/archive/2010/08/11/remote-efs-decryption-and-trusted-for-delegation-requirements.aspx

    Brian

    • Proposed as answer by Amy Wang_ Friday, April 3, 2015 2:07 AM
    • Marked as answer by Amy Wang_ Monday, April 6, 2015 7:32 AM
    Monday, March 30, 2015 7:08 PM