Solved

Encrypting a folder on Server 2008

Posted on 2014-12-11
4
354 Views
Last Modified: 2014-12-17
Dear Experts,

I am trying to create an encrypted folder on our server that will be accessible to only a few users.  When I tried to encrypt it, I got the "EFS recovery policy contains invalid recovery certificate" error, so I started to follow the instructions how to export then import the EFS private certificate.  Now I am getting an error that says "Windows cannot determine if this certificate has been revoked......" error.  If I go ahead and install this certificate anyway, the Recovery agents gets labeled UNKNOWN_USER.
The server I am trying to install the recovery agent is not the domain controller, so I exported the EFS certificate from the domain controller, then moved it to this file server.  I am not sure if this is the correct method.  Also, the certificate I exported had the expiration date that is in the past, so I am very confused.
Please advise.
0
Comment
Question by:yballan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 64

Expert Comment

by:btan
ID: 40495643
This looks like a similar case to this discussion
From the description, this certificate should be a self-signed one. You can verify this in the certificate console: The name under Issued To is as same the one under Issued By if it is a self-signed certificate
we can still decrypt files even though the EFS certificate is expired, because EFS stores existing private keys. As a result, I suspect that issue results from one of the following causes:
 
·         The private key corresponds to the certificate is damaged or deleted.
·         The thumbprint listed in Users Who Can Access This File does not match any thumbprints for the user’s certificates.
 
If any of the above factor is true, I am afraid that we may not be able to recover the data.
https://social.technet.microsoft.com/Forums/windows/en-US/3820fcc9-1fff-4c69-8f28-a54c935aaf60/i-cant-create-install-a-recovery-certificate-for-encrypted-files-help-needed?forum=itprovistasecurity

You can also use efsinfo to view thumbprints to help match up the certificates that are RA. You need to have
a RA export their recovery certificate and private key to a .pfx file.
http://support.microsoft.com/kb/243026

By default, the Administrator account has this certificate and is configured as the data recovery agent. If you are running your computers in a Windows domain, then the default Recovery Agent will be the Administrator account on the first domain controller you installed in your Windows domain. Kindly also see the best practices
http://support.microsoft.com/KB/223316
0
 

Author Comment

by:yballan
ID: 40500647
Dear btan,

Thank you for your reply, yes, I believe it is the same sort of issue.  I have read the threads, and am doing the same exact thing, but the results do not seem to be the same.
Since I am trying to encrypt a folder on our file server, I decided to test this out on my private PC first, so not to mess up the server with errors.
Please correct me if I am going about this the wrong way:
1.  I generate the recovery certificate on my PC and save them on a USB drive. (cipher creates .CER and .PFX files with no error.)
2.  Then I install these, by going through certificate import wizard.  Again, no error.
3.  I go to encrypt a test folder in my Document folder, and when I apply, I get "An error occurred applying attributes to the file:  c:\Users\xxx\yyyy    Recovery policy configured for this system contains invalid recovery certificate."

What am I doing wrong?
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40501848
Client computers cannot encrypt any new documents until a valid recovery agent certificate is available.. also MS advised the cause as "The Encrypting File System (EFS) recovery policy that is implemented on this computer contains one or more EFS recovery agent certificates that have expired. These certificates cannot be used."

Check out the steps in handling this error http://support.microsoft.com/kb/937536

Also other aspects - either renew the existing certificates or generate new certificates for the EFS recovery agents and reapply the recovery agent policy with those certificates. E.g.
Renewing certificates - http://technet.microsoft.com/en-us/library/cc738405(v=ws.10).aspx
Requesting certificates - http://technet.microsoft.com/en-us/library/cc778348(v=ws.10).aspx
0
 

Author Closing Comment

by:yballan
ID: 40504710
Dear btan,
Thank you for pointing out the steps!
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question