Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

EFS over the network - authenticating 2 different ways

Posted on 2006-11-03
3
Medium Priority
?
247 Views
Last Modified: 2013-12-04
So I have a weird issue.  We have a server located in a DMZ that is a drop server for files from our clients.  We have two different accounts (local to the server) that we use to log in and retrieve these files.  These accounts each have a locally encrypted directory (EFS) with a share off of it.
Both accounts are local admins on the box.

When we log in (map a drive) with account A to its share, no problem, send/receive files.

When we log in (map a drive) with account B to its share, I can see the files, but I can not cut or paste to it.

Since EFS over the network only works with Kerberos, it seems to me that I'm authenticating with kerberos for account A, but account B is defaulting to NTLM.  This is from any workstation.  Anyone have any ideas?

Greg
0
Comment
Question by:gherzog
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17874379
EFS can use either NTLM/LM or kerb, we may need more information about what OS's your running...
 http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx#EME (see the last bullet point below)
When copying an encrypted file:
•      If using Windows 2000 and the target server is running Microsoft® Windows NT Server 4.0, the file will be silently decrypted and copied to the server. If using Windows XP or Windows Server 2003, the user will be warned and prompted to allow the decryption operation.
•      If the target server is running Windows 2000 or Windows Server 2003, and the machine account of the server is trusted for delegation in the Active Directory, the file will be silently decrypted and copied to the server where it will be re-encrypted using a local profile and encryption key.
Note The file is transmitted on the network between the client and the server in an unprotected format. If this file contains confidential information, care should be given to ensure that the network connection also provides secure transmission of the data. Such network data protection might include IP Security (IPSec).
•      If the target server is running Windows 2000 or Windows Server 2003 and the machine account of the server is not trusted for delegation in the Active Directory, or the server is in a workgroup or a Windows NT 4.0 domain, the file will not be copied and the user will receive an "access denied" error message.
The "access denied" error message is returned to applications from the NTFS file system in order to ensure compatibility with existing applications. The use of an alternate or more descriptive error message would cause many applications to fail or behave erratically.

The Windows XP Professional client contains some enhancements in the area of copying encrypted files. Both the shell interface and the command-line now support an option to allow or disallow file decryption. When an encrypted file is copied to a target location that does not allow remote encryption, the user will be prompted with a dialog box that allows a choice of whether or not to decrypt the file.
=========================
I assume account A is a domain account and account B is a work group account? Try copying the recovery agent key to the workgroup pc.
http://support.microsoft.com/kb/887414
http://support.microsoft.com/kb/241201
-rich
0
 
LVL 1

Author Comment

by:gherzog
ID: 17890796
The server is running Windows 2003.  It is not configured for delegation in Active Directory, nor is the account that works fine.  Both accounts are local accounts, not domain.

I think my logic on binding NTLM vs Kerberos is sketchy. that makes no sense. If i can connect and use the one account (obviously kerberos), it's not going to bind via NTLM based on a different set of user credentials. The binding should be all workstation based. So now I'm trying to figure out what the possible differences might be between these two accounts that would cause this behavior.

Greg
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 17891514
Do both accounts have equal access to their folders, via NTFS permissions, and are both listed as RA's  and or Decryptors for their respective folders?
http://support.microsoft.com/kb/243026 http://www.microsoft.com/downloads/details.aspx?FamilyID=9c70306d-0ef3-4b0c-ab61-81da208f5c47&displaylang=en
C:\>efsinfo efs-test.txt /U /R   (/s will do subdirectories)
C:\
efs-test.txt: Encrypted
  Users who can decrypt:
    domain\user (user(user@domain.ad))
  Recovery Agents:
    user\Administrator (Administrator)
-rich
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question