RE: Recovery agent for EFS, how can i get it done PLEASE HELP

From: "savvy95" <savvy95@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 20 Apr 2005 07:56:03 -0700

What type of cert do you want? If it's EFS, simply have the user encrypt a
file; poof! he has an EFS cert. If you want to make him a recovery agent
then simply add him to the cert list in file or folder.

Savvy95
MCT, MCSE, MCDBA, CCNA

"XP_2600" wrote:

> I go to mmc add/remove snap-in i add certificates and i choose my current
> user, then i go to personal/certificates and i right click and i choose
> request new certificate and then i choose the template, i tried all
> certificates types and in all cases i get this error:
> "---------------------------
> Certificate Request Wizard
> ---------------------------
> The certificate cannot be installed because of one or more of the following
> conditions:
> - There is a problem with your cryptographic hardware.
> - The cryptographic service provider (CSP) that created the request is
> malfunctioning.
> The error was: Keyset does not exist
> ---------------------------
> OK
> ---------------------------"
>
> "savvy95" wrote:
>
> > How are you requesting the Cert?
> >
> >
> > "XP_2600" wrote:
> >
> > >
> > > Savy95 you helped me alot man, now i fixed the problem and there is just a
> > > little problem im asking about it just to know is it a bug or not, admin can
> > > request cert normally now but my account which is member of both local and
> > > enterprise admins still cant request cert everytime i request i get this
> > > "---------------------------
> > > Certificate Request Wizard
> > > ---------------------------
> > > The certificate cannot be installed because of one or more of the following
> > > conditions:
> > > - There is a problem with your cryptographic hardware.
> > > - The cryptographic service provider (CSP) that created the request is
> > > malfunctioning.
> > > The error was: Keyset does not exist
> > > ---------------------------
> > > OK
> > > ---------------------------" the other accounts can request certs normally,
> > > any ideas ? thanks again man for help
> > > "savvy95" wrote:
> > >
> > > > On 2000, this can be accomplished:
> > > > A. Login as Local Administrator (not Domain)
> > > > B. Run mmc
> > > > C. Add the snap-in certificates
> > > > D. Go to personal; find cert for EFS
> > > > if not there, then close mmc, encrypt a file then decrypt
> > > > file, then repeat steps A-D)
> > > > E. Right click cert and export to floppy. DON'T Export key
> > > > F. Login with user credentials; run mmc; add snap-in certificates; go
> > > > to Personal
> > > > G. Right click right pane(in the white area or go to actions) and
> > > > choose import certificate
> > > >
> > > > On 2003
> > > > A. Administrators automatically have decryption rights or follow above
> > > > steps
> > > >
> > > > You can also check out:
> > > > http://www.microsoft.com/windows2000/techinfo/planning/security/efssteps.asp
> > > >
> > > > "XP_2600" wrote:
> > > >
> > > > > Guys i need your help, i have a windows 2003 server entrprise (upgraded from
> > > > > Windows 2000 advanced server sometime ago) i noticed that an employee
> > > > > encrypted some files and that wasnt allowed ( i didnt moved the allow
> > > > > encrypting files from the GP :( ) anyway i logged with the administrator
> > > > > which suppose to be able to recover the encypted files but its didnt do it,
> > > > > anyway i decrypt the files using the user account, but now i wanna add a
> > > > > reliable recovery agent, everytime i choose an account to be a recover agent
> > > > > (an account from domain administrators) i get this error "Add Recovery Agent
> > > > > ---------------------------
> > > > > The selected user has no certificates suitable for Encrypted File System
> > > > > Recovery and cannot be added as a recovery agent.
> > > > > Select another user.
> > > > > ---------------------------
> > > > > OK
> > > > > ---------------------------"
> > > > > i tried to install CA and then i tried to request certificate but i get this
> > > > > error "---------------------------
> > > > > Certificate Request Wizard
> > > > > ---------------------------
> > > > > The certificate cannot be installed because of one or more of the following
> > > > > conditions:
> > > > > - There is a problem with your cryptographic hardware.
> > > > > - The cryptographic service provider (CSP) that created the request is
> > > > > malfunctioning.
> > > > > The error was: Keyset does not exist
> > > > > ---------------------------
> > > > > OK
> > > > > ---------------------------"
> > > > >
> > > > > even if i see in the CA that the certificate has been issued and there is no
> > > > > faild certificates, i tried to skip this thing too and export the user
> > > > > certificate and then use it as recovery agent instead of choosing user name
> > > > > its success but the user who suppose to be recovery agent couldnt recover
> > > > > files too, i think he could recover folders only or at least thats whats
> > > > > happend with me
> > > > >
> > > > > When i tried to choose create recovery agent i got this error:
> > > > > "---------------------------
> > > > > Public Key Policies
> > > > > ---------------------------
> > > > > Windows cannot create a data recovery agent. Keyset does not exist
> > > > > ---------------------------
> > > > > OK
> > > > > ---------------------------"
> > > > > I know its complex and long post but please try to help me, thanks so much
> > > > >
> > > > >
> > > > >
.

References:
- Recovery agent for EFS, how can i get it done PLEASE HELP
  - From: XP_2600
- RE: Recovery agent for EFS, how can i get it done PLEASE HELP
  - From: savvy95
- RE: Recovery agent for EFS, how can i get it done PLEASE HELP
  - From: XP_2600
- RE: Recovery agent for EFS, how can i get it done PLEASE HELP
  - From: savvy95
- RE: Recovery agent for EFS, how can i get it done PLEASE HELP
  - From: XP_2600

Prev by Date: Re: Saved Queries - reprieved user account
Next by Date: Re: Failed adding a new partition to ADAM - Name ="OU=Verint"
Previous by thread: RE: Recovery agent for EFS, how can i get it done PLEASE HELP
Next by thread: RE: Recovery agent for EFS, how can i get it done PLEASE HELP
Index(es):
- Date
- Thread

Relevant Pages

Re: Unable to install Godaddy cert on SBS R2 Standard box
... I recently bought a ten year Turbo SSL cert, but I want to rebuild my server ... "Please create a new request,and request for a new certificate from ... Godaddy(issue a new certificate),then install the new certificate. ...
(microsoft.public.windows.server.sbs)
RE: Recovery agent for EFS, how can i get it done PLEASE HELP
... How are you requesting the Cert? ... > enterprise admins still cant request cert everytime i request i get this ... > The certificate cannot be installed because of one or more of the following ... >>> Recovery and cannot be added as a recovery agent. ...
(microsoft.public.windows.server.active_directory)
RE: Wireless connection problem from XP Pro SP2 to SBS 2003
... I go to request a certificate. ... I went ahead and requested a User cert, ... This computer can connect to other wireless networks without problems. ...
(microsoft.public.windows.server.sbs)
Re: Unable to install Godaddy cert on SBS R2 Standard box
... That is was why I started to install the Turbo cert. ... "Please create a new request,and request for a new certificate from ... Godaddy(issue a new certificate),then install the new certificate. ...
(microsoft.public.windows.server.sbs)
Re: Create certificates with CA
... you are using an enterprise CA - this prevents one user from getting a cert ... purpose which does not require authentication. ... > At the moment the only method I have of getting a certificate to a user is ... > to get their machine to browse to CertSrv and request a cert. ...
(microsoft.public.win2000.security)