asked on Encrypting a folder on Server 2008
Dear Experts,
I am trying to create an encrypted folder on our server that will be accessible to only a few users. When I tried to encrypt it, I got the "EFS recovery policy contains invalid recovery certificate" error, so I started to follow the instructions how to export then import the EFS private certificate. Now I am getting an error that says "Windows cannot determine if this certificate has been revoked......" error. If I go ahead and install this certificate anyway, the Recovery agents gets labeled UNKNOWN_USER.
The server I am trying to install the recovery agent is not the domain controller, so I exported the EFS certificate from the domain controller, then moved it to this file server. I am not sure if this is the correct method. Also, the certificate I exported had the expiration date that is in the past, so I am very confused.
Please advise.
I am trying to create an encrypted folder on our server that will be accessible to only a few users. When I tried to encrypt it, I got the "EFS recovery policy contains invalid recovery certificate" error, so I started to follow the instructions how to export then import the EFS private certificate. Now I am getting an error that says "Windows cannot determine if this certificate has been revoked......" error. If I go ahead and install this certificate anyway, the Recovery agents gets labeled UNKNOWN_USER.
The server I am trying to install the recovery agent is not the domain controller, so I exported the EFS certificate from the domain controller, then moved it to this file server. I am not sure if this is the correct method. Also, the certificate I exported had the expiration date that is in the past, so I am very confused.
Please advise.
Encryption
Last Comment
yballan
ASKER
Dear btan,
Thank you for your reply, yes, I believe it is the same sort of issue. I have read the threads, and am doing the same exact thing, but the results do not seem to be the same.
Since I am trying to encrypt a folder on our file server, I decided to test this out on my private PC first, so not to mess up the server with errors.
Please correct me if I am going about this the wrong way:
1. I generate the recovery certificate on my PC and save them on a USB drive. (cipher creates .CER and .PFX files with no error.)
2. Then I install these, by going through certificate import wizard. Again, no error.
3. I go to encrypt a test folder in my Document folder, and when I apply, I get "An error occurred applying attributes to the file: c:\Users\xxx\yyyy Recovery policy configured for this system contains invalid recovery certificate."
What am I doing wrong?
Thank you for your reply, yes, I believe it is the same sort of issue. I have read the threads, and am doing the same exact thing, but the results do not seem to be the same.
Since I am trying to encrypt a folder on our file server, I decided to test this out on my private PC first, so not to mess up the server with errors.
Please correct me if I am going about this the wrong way:
1. I generate the recovery certificate on my PC and save them on a USB drive. (cipher creates .CER and .PFX files with no error.)
2. Then I install these, by going through certificate import wizard. Again, no error.
3. I go to encrypt a test folder in my Document folder, and when I apply, I get "An error occurred applying attributes to the file: c:\Users\xxx\yyyy Recovery policy configured for this system contains invalid recovery certificate."
What am I doing wrong?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Dear btan,
Thank you for pointing out the steps!
Thank you for pointing out the steps!
You can also use efsinfo to view thumbprints to help match up the certificates that are RA. You need to have
a RA export their recovery certificate and private key to a .pfx file.
http://support.microsoft.com/kb/243026
By default, the Administrator account has this certificate and is configured as the data recovery agent. If you are running your computers in a Windows domain, then the default Recovery Agent will be the Administrator account on the first domain controller you installed in your Windows domain. Kindly also see the best practices
http://support.microsoft.com/KB/223316