locked
EFS using domain Certificate Authority Server and Data Recovery Agent RRS feed

  • Question

  • I've recently setup a windows server 2003 certificate authority server on a windows server 2003 AD domain and created the associated group policies for EFS throughout the enterprise. Everything works fine, except i'm running into an issue decrypting the data as the DRA. IF this is the correct forum for this post, pelase reply and I will go into detail what is going on. Thanks.

    Wednesday, February 6, 2008 4:11 AM

Answers

  • Hi Leo,

     

    I performed further research on this issue. First, allow me to explain how EFS works. When EFS encrypted a files, it does the following:

     

    1.    Generates a bulk symmetric encryption key.

    2.    Encrypts files by using the bulk encryption key.

    3.    Encrypts the bulk encryption key by using the EFS user's public key.

    4.    Stores the encrypted bulk key in a special field called the data decryption field (DDF), which is attached to the EFS file.

     

    For each designated recovery agent account, EFS does the following:

     

    1.    Encrypts the bulk encryption key by using the public key from each recovery agent certificate.

    2.    Stores the encrypted bulk key in a special field called the data recovery field (DRF), which is attached to the EFS file.

     

    In this case, as the recovery agent does not work for each encrypted file on each domain workstation and we found that thumbprint listed in encrypted files do match the thumbprint for the recovery agent certificate, this should not be a client side issue and I suspect that invalid or damaged certificate is very likely the cause of the issue.

     

    My suggestions are:

     

    1.    Request a new recover agent certificate and check the result.

    2.    Make sure that NTFS permission is configured correctly for the encrypted files.

    3.    Ensure the EFS recovery agent policy is configured and applied correctly for the new certificate.

    4.    Try to encrypt a new file on the client (which has already applied the policy and is aware of the new EFS recovery agent certificate), and then check if everything works.

     

    Since this is not a client related issue, if you need further assistance when configuring the certificate and the group policy, you can:

     

    1.    Submit the issue to Windows Sever 2003 Newsgroup:

     

    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.active_directory&cat=en_US_09e458e2-5a48-4d89-a40f-847f472bc08e&lang=en&cr=US

     

    2.    If the issue is urgent, please contact our CSS for instant assistance.

     

    In addition, I’ve included the EFS deployment guide for your reference:

     

    Step-by-Step Guide to Using the Encrypting File System

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/efs.mspx

     

    Hope it helps.

     

    Sincerely,

    Joson Zhou

    Microsoft Online Community Support

     

    Wednesday, March 5, 2008 8:26 AM
    Moderator
  •  

    I appreciate your time and effort on this. I will give that a try, reissue the data recovery agent certificate, and see what happens.

     

    Leo

    Wednesday, March 5, 2008 12:36 PM

All replies

  • Hi Leo,

     

    Please understand that this forum mainly focuses on Windows Vista related issues. We will appreciate it if more detailed information is provided on this issue for troubleshooting.

     

    However, if the issue occurred on a computer running other operating system other than Windows Vista, I suggest submitting the issue to the respective newsgroup. Here are some commonly used newsgroups for your reference:

     

    Windows Server 2003 Newsgroup

    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.active_directory&cat=en_US_09e458e2-5a48-4d89-a40f-847f472bc08e&lang=en&cr=US

     

    Windows XP Newsgroup

    http://www.microsoft.com/technet/community/newsgroups/dgbrowser/en-us/default.mspx?dg=microsoft.public.windowsxp.general

     

    In domain environment, Windows Server 2003 Newsgroup should be a better resource to analyze the issue because domain group policies and CA are deployed.

     

    In addition, you can export the encrypted information using the utility efsinfo.exe and check if the thumbprint listed in the result matches the thumbprint for the DRA certificate.

     

    Hope the information is helpful.

     

    Sincerely,

    Joson Zhou

    Microsoft Online Community Support

     

    Wednesday, February 13, 2008 9:27 AM
    Moderator
  •  

    Thanks for the reply. I have since tried this setup on Vista Business and have received the same results, so i will post here in addition to the other forums.

     

    I've setup a windows server 2003 CA and deployed a group policy with security filtering for specific machines. The policy deploys the EFSAssistant and governs encryption polices. I've also changed the default recovery agent in the Group policy to be a domain user account instead of the administrator account on the domain. I've logged in with a test account and all the files and folders get encrypted based on the policy. I also see that the efsagent shows up in the "users allowed to decrypt" box. I log into the CA as the efsagent, launch certificates, and export the private key for decryption. I log into the PC that has the encrypted files as the efsagent and import the private key into the personal certificate store and when i try to decrypt; i get the "access denied" error message. The certifcate thumprints for the efsagent match on the encrypted file and on the certificate imported onto the machine for the efsagent. I cannot understand why this is not working. Let me know if more information is needed.

    Friday, February 15, 2008 2:18 PM
  • Hi Leo,

     

    Please collect the following information for further research.:

    ==================================

     

    1.      Is efsagent” an account? Please confirm if the NTFS permission is configured correctly for the encrypted files.

    2.      Export the encrypted information using the utility efsinfo.exe:
    ---------------------------------------------------------

    2.1 On the Windows Vista machine, download the utility from the following link:
    http://www.microsoft.com/downloads/details.aspx?familyid=9C70306D-0EF3-4B0C-AB61-81DA208F5C47&displaylang=en
    2.2 Install the utility.
    2.3 Click the Start button, type cmd.exe, right-click the cmd.exe icon and select Run as Administrator to open Command Prompt.
    2.4 In the Command Prompt, go to the folder storing the utility (by default, the location is C:\Program Files\Resource Kit).
    2.5 Type efsinfo /r /u /c <Path of the encrypted folder> > efs.txt (the efs.txt file is stored in folder where the utility locates).

    3.      Export the certificate information:
    ----------------------------

    3.1 Log onto the Windows Vista machine with efsagent.
    3.2 Open Certificate Manager by clicking the Start button, type certmgr.msc in the Start Search box and press Enter.
    3.3 Click Personal, click Certificate, and click each certificate > All Tasks > Export to export all of them. (You do not need to export the private key).

    4.      Check the status of the EFS certificate:
    -------------------------------------

    4.1 Log onto the Windows Vista machine with efsagent.
    4.2 Open Certificate Manager by clicking the Start button. Type certmgr.msc in the Start Search box and press Enter.
    4.3 Click Personal, click Certificate, double-click each certificate that lists Encrypting File System or File Recovery under Intended Purposes, and capture a screenshot for the General  tab of each certificate.

    5.      Please zip the above information (files), rename the zip file using your logon ID and upload it to the following space:

    https://sftasia.one.microsoft.com/choosetransfer.aspx?key=6ac87808-d533-404b-bd8b-4a81f570f391
    Password: pH!n[vt0Zdc#

     

    Note: Please post a quick note in the current thread to inform me  after updating the information.

     

    Please be assured that I will do my best to help you resolve the issue on Windows Vista side. However, as I referred in the previous post, Windows Server 2003 Newsgroup should be a better resource to analyze the issue because domain group policies and CA are deployed in this environment. Thus, I suggest submitting the issue to Windows Server 2003 Newsgroup for further troubleshooting in case we cannot identify the culprits in this forum. 

     

    Sincerely,

    Joson Zhou

    Microsoft Online Community Support

     

    Monday, February 18, 2008 4:16 AM
    Moderator
  • Thanks. The information you requested has been posted utilizing the link above. When i get a chance, i will post in the server 2003 forum. On Vista, i'm getting the message that a smart card is required, essentially telling me that access is denied.

    Monday, February 18, 2008 6:08 PM
  • Hi Leo,

     

    After checking the information, I found that the user efsagent1 should be able to decrypt this file.

     

    In this case, could you please upload the encrypted file and the File Recovery certificate (with private key) to me? I would like to perform local tests for further troubleshooting.

     

    In addition, please capture a screenshot of the message indicating that a smart card is required and upload to me.

     

    Thanks.

     

    Sincerely,

    Joson Zhou

    Microsoft Online Community Support

     

    Wednesday, February 20, 2008 7:50 AM
    Moderator
  • Thank you for your assitance once again. I have uploaded the encrypted text file and a zip file. The text file is named test.txt and the zip file is called "Leo Cruz2.zip". In the zip file are a couple of screenshots, private key for the efsagent, private keys for test user account, and a readme.txt file. in the Readme file you will find the private key password; the password is the same for both keys. I uploaded the test user accts private key b/c i believe that when i upload the encrypted document to any other computer, Windows automatically decrypts it. Sorry for the delay in posting, been busy. Let me know if you have any questions or issues.

     

    Leo

    Monday, February 25, 2008 5:23 PM
  • Hi Leo,

     

    Sorry, I forgot that the encrypted file will be decrypted when we upload it to the space.

     

    In fact, based on the information we collected, the File Recovery certificate should be able to decrypt the encrypted files. The thumbprint is match. In order to resolve the issue more efficiently, I suggest contacting our Customer Service Support (CSS) for further troubleshooting. The support professionals there can debug the process of the decryption, which should be the best way to analyze the issue.

     

    To obtain the phone numbers for specific technology request, please check the website listed below:
    http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

     

    Thank you for your understanding.

     

    Sincerely,

    Joson Zhou

    Microsoft Online Community Support

     

    Wednesday, February 27, 2008 4:31 AM
    Moderator
  • Hi Leo,

     

    I performed further research on this issue. First, allow me to explain how EFS works. When EFS encrypted a files, it does the following:

     

    1.    Generates a bulk symmetric encryption key.

    2.    Encrypts files by using the bulk encryption key.

    3.    Encrypts the bulk encryption key by using the EFS user's public key.

    4.    Stores the encrypted bulk key in a special field called the data decryption field (DDF), which is attached to the EFS file.

     

    For each designated recovery agent account, EFS does the following:

     

    1.    Encrypts the bulk encryption key by using the public key from each recovery agent certificate.

    2.    Stores the encrypted bulk key in a special field called the data recovery field (DRF), which is attached to the EFS file.

     

    In this case, as the recovery agent does not work for each encrypted file on each domain workstation and we found that thumbprint listed in encrypted files do match the thumbprint for the recovery agent certificate, this should not be a client side issue and I suspect that invalid or damaged certificate is very likely the cause of the issue.

     

    My suggestions are:

     

    1.    Request a new recover agent certificate and check the result.

    2.    Make sure that NTFS permission is configured correctly for the encrypted files.

    3.    Ensure the EFS recovery agent policy is configured and applied correctly for the new certificate.

    4.    Try to encrypt a new file on the client (which has already applied the policy and is aware of the new EFS recovery agent certificate), and then check if everything works.

     

    Since this is not a client related issue, if you need further assistance when configuring the certificate and the group policy, you can:

     

    1.    Submit the issue to Windows Sever 2003 Newsgroup:

     

    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.active_directory&cat=en_US_09e458e2-5a48-4d89-a40f-847f472bc08e&lang=en&cr=US

     

    2.    If the issue is urgent, please contact our CSS for instant assistance.

     

    In addition, I’ve included the EFS deployment guide for your reference:

     

    Step-by-Step Guide to Using the Encrypting File System

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/efs.mspx

     

    Hope it helps.

     

    Sincerely,

    Joson Zhou

    Microsoft Online Community Support

     

    Wednesday, March 5, 2008 8:26 AM
    Moderator
  •  

    I appreciate your time and effort on this. I will give that a try, reissue the data recovery agent certificate, and see what happens.

     

    Leo

    Wednesday, March 5, 2008 12:36 PM
  •  

    Everything was set up correctly, but for some reason, something was wrong with the EFS certificate. Re-issuing the certificate fixed the issue. Thanks everyone for your time
    Friday, August 15, 2008 12:24 PM
  • Hi Mr Joson Zhou!

    I am new here, so bag me a pardon if I write to a wrong place!

    I encrypted my files with EFS, and in a nice morning my windows didn't booted up.

    So I made my "C" to secondary and saved mails, and addresses, luckily, but didn't save my personal key to decrypt EFS files.

    So I reinstalled windows, and I can't open my EFS encrypted files.

     

    Please help anybody me if you can!

    Thanx for advance Laszlo

    Wednesday, October 8, 2008 2:58 PM
  •  

    I'm assuming that you encrypted your documents on your personal machine, not on a domain, in which case the machine issued a self-signed certificate which is only valid on that machine with your username and password combination. If lost, the only method of recovery is a 3rd party tool to brute force the encryption, which may or may not be successful. If the machine is part of a domain, it is possible that the decryption key is stored on the PDC as well as on the local machine.
    Wednesday, October 8, 2008 4:41 PM
  •  Hi Jason the site that I work at has an EFS issue. All files are encrypted on file server (end user home share). end users certificates expired that encrypted the file. Now encrypted file can not be opened or decrypted by end users. I checked the checked the encryption properties of the files of users who can access the files, it points to expired users certification and expired recovery agent certication thumbprint. I tried DRA agent but that certificate exipred also thats assocated with the files. I checked the thumbprint of enduser certificate it matches exipred cert. I also checked DRA agent thumbprint thats assocated with files. Is there any way to get file decrypted on file server? I need keys but I can not get keys from expired cert

    ohms102910@yahoo.com


    ohms

    Friday, April 12, 2013 12:28 PM