karlkawano
asked on
Configuring Encryption on Windows XP in a Windows 2000 Domain Environment
Hi,
There is a problem one of our clients are experiencing and I want to see if I can help them out. To achieve this, I need to set up file encryption on one of our computers in the domain. I don't have any experience in this area for our local network.
We are running a Windows 2000 domain with Windows XP clients. I first tried right clicking the file >> properties >> Encrypt contents to secure data. This gives me the following error:
"Recovery policy configured for this system contains invalid recovery certificate".
After doing some research, I found that I need to have a recovery agent configured. In the local policies there is one certificate under "Public Key Policies/Encrypting File System which is Administrator and in the "Intended Purposes" field it says "File Recovery". I assume this is a local file recovery certificate and since I am in a domain, I must import a Domain level certificate. I hope I am on the right track to this point.
Here is where I am stuck in the fact that I want to be very cautious about what I do. Obviously, I do not want to do anything harm anything on our network. What do I need to do from here? Do I export a domain certificate and import it locally? I also tried "Browse Directory", selected Enterprise Admin, Domain Admin and my user object (with god privilages) and received this error message - "The selected user has no certificates suitable for Encryption File System Recovery and cannot be added as a recovery agent."
In doing some testing in various areas such a trying to create a certificate, I received errors such as "...there is no certificate authority...". I bypassed those and went on to other testing but thought that may be useful to note that.
My overall goal is simply to set up 1 domain client system with encryption.
Thanks in advance for the help!!!!
Best Regards,
Karl
There is a problem one of our clients are experiencing and I want to see if I can help them out. To achieve this, I need to set up file encryption on one of our computers in the domain. I don't have any experience in this area for our local network.
We are running a Windows 2000 domain with Windows XP clients. I first tried right clicking the file >> properties >> Encrypt contents to secure data. This gives me the following error:
"Recovery policy configured for this system contains invalid recovery certificate".
After doing some research, I found that I need to have a recovery agent configured. In the local policies there is one certificate under "Public Key Policies/Encrypting File System which is Administrator and in the "Intended Purposes" field it says "File Recovery". I assume this is a local file recovery certificate and since I am in a domain, I must import a Domain level certificate. I hope I am on the right track to this point.
Here is where I am stuck in the fact that I want to be very cautious about what I do. Obviously, I do not want to do anything harm anything on our network. What do I need to do from here? Do I export a domain certificate and import it locally? I also tried "Browse Directory", selected Enterprise Admin, Domain Admin and my user object (with god privilages) and received this error message - "The selected user has no certificates suitable for Encryption File System Recovery and cannot be added as a recovery agent."
In doing some testing in various areas such a trying to create a certificate, I received errors such as "...there is no certificate authority...". I bypassed those and went on to other testing but thought that may be useful to note that.
My overall goal is simply to set up 1 domain client system with encryption.
Thanks in advance for the help!!!!
Best Regards,
Karl
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Walter,
Just saw your post. I'll try it now and let you know how it goes.
Thanks,
Karl
Just saw your post. I'll try it now and let you know how it goes.
Thanks,
Karl
ASKER
Hi Walter,
I followed the procedures and was able to successfully create a recover agent and import it. I was sure it was going to work - until I tried it. Same error when encrypting:
"Recovery policy configured for this system contains invalid recovery certificate".
When I look the the cermgr under Certificates-Current User >> Personal >> Certificates I see 2 certificates. One has intended purposes "Encrypting File System" and the other "File Recovery" (I assume the one we just created).
So what is the next step? One noticable item that stands out in my mind is that he started off with step 1 as just encrypting a folder without first creating the recovery agent. I read somewhere that the first time you try to encrypt a file it creates the cert file encryption cert. Does this mean that since it didn't work for me initially that there is some other underlying issue?
Thanks for the help,
Karl
I followed the procedures and was able to successfully create a recover agent and import it. I was sure it was going to work - until I tried it. Same error when encrypting:
"Recovery policy configured for this system contains invalid recovery certificate".
When I look the the cermgr under Certificates-Current User >> Personal >> Certificates I see 2 certificates. One has intended purposes "Encrypting File System" and the other "File Recovery" (I assume the one we just created).
So what is the next step? One noticable item that stands out in my mind is that he started off with step 1 as just encrypting a folder without first creating the recovery agent. I read somewhere that the first time you try to encrypt a file it creates the cert file encryption cert. Does this mean that since it didn't work for me initially that there is some other underlying issue?
Thanks for the help,
Karl
ASKER
One other note,
When I try to open any of the certificates, the cert has a red X and says:
"This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store"
Hope this gives some sort of clue.
Thanks Again,
Karl
When I try to open any of the certificates, the cert has a red X and says:
"This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store"
Hope this gives some sort of clue.
Thanks Again,
Karl
ASKER
I did view that KB article. I also viewed this one:
Best Practices for the Encrypting File System - http://support.microsoft.com/kb/223316/EN-US/
My understanding of the problem is that by default Windows XP Recovery agent is disabled. You have to add a authorize "Recovery Agent Certificate" to enable it and allow the encryption to happen. How and where do I export or create this certificate?
Thanks,
Karl