Solved

Recovery Certificate issue

Posted on 2008-10-14
10
578 Views
Last Modified: 2012-06-27
Our recovery certificate recently expired.  I followed the instructions from Microsoft to create a new recovery certificate.  However when I try using the new recivery certificate, to create a newly encrypted folder, I get an error "Recovery policy configured for this system contains invalid recovery certificate."

Am I missing something?  Thanks!

I used the instructions from the following MS KB

http://support.microsoft.com/default.aspx/kb/937536
0
Comment
Question by:jmerulla
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Did you try the gpupdate /force to get the updated GPO.
The change might not have propagated.
0
 
LVL 5

Accepted Solution

by:
JBart_17 earned 250 total points
Comment Utility
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 250 total points
Comment Utility
Your recovery cert should be used to recover certs and should not be used by itself as there would not be anything else to recover it (unless you have multiple recovery certs created, which you may want to consider having 2 or 3 anyways..).

You should use a normal file encryption cert to encrypt a file and then use the recovery cert to recover it.

There can also be issues sometimes of trying to encrypt the folder itslef instead of the files within it, but that gets a little deep so unless that directly applies I won't get into it.
0
 
LVL 2

Author Comment

by:jmerulla
Comment Utility
I did run gpupdate /force which did not help.  Still get the error message. :-(
0
 
LVL 2

Author Comment

by:jmerulla
Comment Utility
As of right now, if I try to create a new document in a folder that was previouisly encrypted, I get "Access Denied" and I have full Admin rights.  Any suggestions?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
Am I reading this correctly "was" as in it is not currently encrypted?  If that's the case then I would look at permissions on the folder and such.
If it is still encrypted, then you need to be able to do so under the correct user account for the encryption cert and using the same cert that it was encrypted under.
Could you please verify that you are using an end-user cert to encrypt with and not the recovery cert?
0
 
LVL 2

Author Comment

by:jmerulla
Comment Utility
I am using the end user cert that was assigned to me.  I've had the same certificate since before the current one expired.  I used that certificate to create an encrypted folder and everything that I put in that folder encrypted without issue - until the certificate expired.

I followed Microsoft's instructions to create a new one, and everything went just like the instructions said.  That is until I tried to use it to create a new encrypted folder and got the error message about the system containing an invalid recovery certificate.

When I tried saving a new document in my previously encrypted folder, I get an "Access Denied" message.

I think the folder is still encypted since the folder name appears in green as any foler/file that has been encrypted.
0
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
Are you using an EFS cert issued from your CA or locally generated on the box?
Do you have both the old and new EFS certs installed, or did you remove the old one?  You should have both so that you can still access the old infomation, hopefully you have that backed up first with private key if you had removed it..
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Usually an assigned EFS certificate is auto-renewed/regenerated by the system.  The process you went through is to generate a Recovery Certificate.  
Paranormastic, in an earlier post said that you should use the recovery certificate to recover your user EFS certificate.

Try the following: get into the encrypted folder.  Right click on any of the encrypted files and get the properties.  Then go through the advanced button and look at the details on the Compression and encryption section.  You might be able to add a certificate there, but I think you have to repeat this process one file at a time.
0
 
LVL 2

Author Comment

by:jmerulla
Comment Utility
I got it resolved with MS tech support.  The part that was missing from their KB is that after the certificate has been created under Encrypting File System, it also has to be added to Trusted Root Certification Authorities and then run gpuodate /force to replicate to the other DCS.

1. Please first remove all the old recovery agent certificates. To do this,

(1). On your domain controller, click "Doman Security Policy" from "Administrative Tools".
(2). In the left pane, expand to: Public Key Polices\Encrypting File System
(3). In the right pane, make sure to delete all the items.
(4). Close "Domain Security Policy" and allow enough time for this change to be propagated to other domain controllers.

2. Request a new certificate for recovery agent.

(1). Log on to a domain controller with Administrator account.
(2). Click Start, click Run, type cmd , and then click OK.  
(3). At the command prompt, type cipher /r: file_name , and then press ENTER.

Note: file_name represents the file name that you want to use. Use a file name that is meaningful to you. Do not add an extension to the file name. Make sure that the new .cer and .pfx files are created in the same folder.  

3. Add the new certificate to the policy.
(1). On your domain controller, click "Doman Security Policy" from "Administrative Tools".
(2). In the left pane, expand to: Public Key Polices\Encrypting File System
(3). Right-click the "Encrypting File System", click "Add Data Recovery Agent"
(4). Follow the wizard to add the .cer file you created in step 2 above.
(5). Expand to another branch: Public Key Polices\Trusted Root Certification Authorities
(6). Right-click the "Trusted Root Certification Authorities", click Import. Follow the wizard to import the .cer file in step 2.

4. Quit the policy editor and allow enough time for these changes to be replicated to other DCs.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now