-DJL-
asked on
EFS problems on Windows Server 2003
I have EFS running in a Windows Server 2003 R2 domain environment. Certificate services is working correctly and is issuing certificates to users that can be used for file encryption and smart card logon. The Basic EFS, User and Smart Card logon templates have been disabled and a new single template created.
EFS on Vista workstations works correctly. The users certificates are roaming between workstations and files can be encrypted on the local machine - the correct recover agents are added to the files.
However, when a user attempts to encrypt a file stored on a Windows Server 2003 server the encryption fails with the error message - "the window cannot act on the sent message". If I allow EFS to create a self signed certificate for the user then the encryption works - but this obviously isn't usefull.
So the question is - why can't the file servers locate a users certifcate which is stored in AD in order to encrypt the file?
EFS on Vista workstations works correctly. The users certificates are roaming between workstations and files can be encrypted on the local machine - the correct recover agents are added to the files.
However, when a user attempts to encrypt a file stored on a Windows Server 2003 server the encryption fails with the error message - "the window cannot act on the sent message". If I allow EFS to create a self signed certificate for the user then the encryption works - but this obviously isn't usefull.
So the question is - why can't the file servers locate a users certifcate which is stored in AD in order to encrypt the file?
ASKER
Hi
No - theres no other information. Nothing is logged in the server or workstations event logs either. Do you know if EFS has log files anywhere?
No - theres no other information. Nothing is logged in the server or workstations event logs either. Do you know if EFS has log files anywhere?
That's really strange, i think your best change is contacting microsoft or if it are OEM licences, your software vendor. EFS really can be a bitch.
Good luck man, i can't help you on this.
Good luck man, i can't help you on this.
DJL,
Im assuming you have set the computer account of the Server to be "trusted for delegation"? I believe this is a setting needed to allow users to encrypt files on another PC (shared directory). The setting im referring to is in Active Directory Users and Computers, under the computer account for the server in which your shared directory resides.
Let me know if this helps at all.
Im assuming you have set the computer account of the Server to be "trusted for delegation"? I believe this is a setting needed to allow users to encrypt files on another PC (shared directory). The setting im referring to is in Active Directory Users and Computers, under the computer account for the server in which your shared directory resides.
Let me know if this helps at all.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"the window cannot act on the sent message" is a default Windows system error code, and not very specific. More symptoms maybe?