EFS remote with delegation won't stop using self-signed cert.

From: Greg W (greg_at_nospamyourITguy.com)
Date: 09/02/04

Next message: Ed: "Newbie - Can I delete " $NtUninstallKB810217$ ""
Previous message: Pat [MSFT]: "Re: Eventid 7011"
Next in thread: Greg W: "Re: EFS remote with delegation won't stop using self-signed cert."
Reply: Greg W: "Re: EFS remote with delegation won't stop using self-signed cert."
Messages sorted by: [ date ] [ thread ]

Date: Wed, 1 Sep 2004 17:23:18 -0700

Hello All,

Windows 2003 file server(trusted for delegation), XP client, Windows 2003
Certificate Server

I have a peculiar and reproduceable issue using EFS over the network to a
file server.

When a user connects to the server from the network for the first time, a
profile is created and presumably the key pair is stored in the profile.
Ideally the user would have a roaming profile and their proper current key
pair would be available in the roaming profile. (This works fine on this
server as long as the user has a roaming profile)

My problem comes in when a user without a roaming profile connects over the
network and encrypts a file. The o/s creates the profile and issues a
self-signed certificate... Darn, got to make the user a roaming profile.
Delete the profile from the file server, make the user a roaming profile.
Remove the encrypted files.... Try to encrypt files again. same
self-signed certificate is used.

All of the documentation I have read says that the key pair is stored in the
profile. Is there some place that the key pair is cached for the system to
use when delegating? I have tried several variations, logging on to the
file server locally and importing proper key pair, but once the user has
encrypted with the self-signed certificate, I can't figure out how to make
it start using the CA issued cert.

Please Help!

Thanks in advance, reply to group,

Greg Wilcox

Next message: Ed: "Newbie - Can I delete " $NtUninstallKB810217$ ""
Previous message: Pat [MSFT]: "Re: Eventid 7011"
Next in thread: Greg W: "Re: EFS remote with delegation won't stop using self-signed cert."
Reply: Greg W: "Re: EFS remote with delegation won't stop using self-signed cert."
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Auto certificate and key generation to pfx
... No, certificate server does not return a PFX file, you would have to export ... the key pair and certificate after it had been generated and issued. ... Best Practices for implementing Windows Server 2003 PKI: ...
(microsoft.public.platformsdk.security)
Re: certificate issues with roaming profile
... sounds like it is with connecting to the server to pull the roaming profile ... >I create roaming profile for my users and all user are having same profile. ... > we push some certificate for connecting to some web sites. ...
(microsoft.public.windows.server.active_directory)
Re: Roaming profile and CA certificates
... > the certificate, tested it, and it works, but when the user logs on to the ... > where they logg on (server). ... ROAMING profile and the cached copy. ...
(microsoft.public.win2000.active_directory)
Personal Certificate import
... Internet Explorer 6 for Windows 2003 Server through CITRIX ... I have a personal certificate that worked under IE 6 with ... with a new roaming profile I can not import the ...
(microsoft.public.windows.inetexplorer.ie6.browser)
RPC over HTTP, Microsoft solution
... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ...
(microsoft.public.exchange.setup)