I have a user using EFS to protect some sensitive information on a shared drive. This was working fine until the account password expired and was changed. The user reported that they could open the files, but could not save changes. I had the user remove the encryption from all folders, which was successful and they could again modify the files. We then tried to encrypt the files again, but an error box is displayed stating "The Recovery Policy configured for this system contains an invalid recovery certificate." I deleted thier certificate, and tried to encrypt the files again with the same result.

The client computer is running XP Professional, the share is on a Windows Server 2003 server, and the user account is an Active Directory account. Any input is appreciated

Mike

It is saying the certificate for the "Recovery Agent" is invalid, not
the actual account doing the Encryption. If on a domain, when running
Win2k, the designated recovery agent was the default "Domain Admin", WinXP
there is not designated recovery agent, unless on a Win2k3 domain, which I
believe requires you to designate a recovery agent.
I believe all the Hoopla about files getting encrypted and then the
encryption key certificate gets corrupted and or destroyed (due to reformat
and install on the workstation) and no recovery agent was designated
prompted these changes.
"Mike" <(E-Mail Removed)> wrote in message
news:28983D92-BC2F-4D75-8005-(E-Mail Removed)...
> I have a user using EFS to protect some sensitive information on a shared
drive. This was working fine until the account password expired and was
changed. The user reported that they could open the files, but could not
save changes. I had the user remove the encryption from all folders, which
was successful and they could again modify the files. We then tried to
encrypt the files again, but an error box is displayed stating "The Recovery
Policy configured for this system contains an invalid recovery
certificate." I deleted thier certificate, and tried to encrypt the files
again with the same result.
>
> The client computer is running XP Professional, the share is on a Windows
Server 2003 server, and the user account is an Active Directory account. Any
input is appreciated.
>
> Mike

A user changing their own password should not normally cause a problem, while having
their password reset will prevent that user from accessing their encrypted files
which is not happening in this case. Saving/encrypting EFS files requires the user's
and recovery agent's [if configured] certificate. Since you received an error
message about the recovery agent, I would find where that policy is configured for
the server which could be at the domain/OU/local level security policy under security
settings/public key policies/encrypted file system and examine the recovery agent
certificate to make sure that it is indeed a certificate for recovering files and it
is trusted [it should say if it is not on the general page]. I am not sure if this
may be an issue, but also run netdiag on the Windows 2003 server looking for any
failed tests that may indicate a problem with it's computer account/secure channel
that may also be causing the problem. -- Steve

http://support.microsoft.com/default...en-us%3B321708

"Mike" <(E-Mail Removed)> wrote in message
news:28983D92-BC2F-4D75-8005-(E-Mail Removed)...
> I have a user using EFS to protect some sensitive information on a shared drive.
This was working fine until the account password expired and was changed. The user
reported that they could open the files, but could not save changes. I had the user
remove the encryption from all folders, which was successful and they could again
modify the files. We then tried to encrypt the files again, but an error box is
displayed stating "The Recovery Policy configured for this system contains an
invalid recovery certificate." I deleted thier certificate, and tried to encrypt the
files again with the same result.
>
> The client computer is running XP Professional, the share is on a Windows Server
2003 server, and the user account is an Active Directory account. Any input is
appreciated.
>
> Mike

Yup - that explains the decision in part. RAs also don't make a lot of
sense for stand-alone machines - probably only one user anyway. RAs make
more sense in domains in a larger org.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


"Star Fleet Admiral Q" <Star_Fleet_Admiral_Q(NOSPAM)@(SPAMNOT)hotmail.com>
wrote in message news:(E-Mail Removed)...
> It is saying the certificate for the "Recovery Agent" is invalid, not
> the actual account doing the Encryption. If on a domain, when running
> Win2k, the designated recovery agent was the default "Domain Admin", WinXP
> there is not designated recovery agent, unless on a Win2k3 domain, which I
> believe requires you to designate a recovery agent.
> I believe all the Hoopla about files getting encrypted and then the
> encryption key certificate gets corrupted and or destroyed (due to
reformat
> and install on the workstation) and no recovery agent was designated
> prompted these changes.
> "Mike" <(E-Mail Removed)> wrote in message
> news:28983D92-BC2F-4D75-8005-(E-Mail Removed)...
> > I have a user using EFS to protect some sensitive information on a
shared
> drive. This was working fine until the account password expired and was
> changed. The user reported that they could open the files, but could not
> save changes. I had the user remove the encryption from all folders, which
> was successful and they could again modify the files. We then tried to
> encrypt the files again, but an error box is displayed stating "The
Recovery
> Policy configured for this system contains an invalid recovery
> certificate." I deleted thier certificate, and tried to encrypt the files
> again with the same result.
> >
> > The client computer is running XP Professional, the share is on a
Windows
> Server 2003 server, and the user account is an Active Directory account.
Any
> input is appreciated.
> >
> > Mike
>
>

Thanks for the assistance Admiral and Steven. I was wrapped around the axle chasing a problem with the password change, but by coincidence the DRA certificate expired at the same time.

Mike

Just to add my 2 cents to all of this . . .
I doubt this has anything to do with password change because the user could
still decrypt files. A failure during the change or a password reset would
break DPAPI and EFS couldn't decrypt already-encrypted files. More likely
it was a coincidence that the password was changed when the problem
occurred. Maybe the machine was also rebooted for the first time in a
while? (That's when the LSA picks up any changes in EFS recovery policy.)

The recovery policy as seen by the XP machine is bad. There's a bad
(expired?) cert in it, most likely. If the machine is in a domain and the
DC thinks that it has a good recovery policy, then there is a policy
propagation error - should be lots of events logged on the client saying as
much. If it's a bad policy on the DC, check out the cert(s) in the recovery
policy - click on 'em and see if there are red X's in the cert UI. Removing
bad recovery certs and (if necessary) adding a new one ("cipher /r" at
cmdline) to the policy, then rebooting the client would solve the "it's bad
on the DC" problem.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:y4KKb.240783$8y1.1095822@attbi_s52...
> A user changing their own password should not normally cause a problem,
while having
> their password reset will prevent that user from accessing their encrypted
files
> which is not happening in this case. Saving/encrypting EFS files requires
the user's
> and recovery agent's [if configured] certificate. Since you received an
error
> message about the recovery agent, I would find where that policy is
configured for
> the server which could be at the domain/OU/local level security policy
under security
> settings/public key policies/encrypted file system and examine the
recovery agent
> certificate to make sure that it is indeed a certificate for recovering
files and it
> is trusted [it should say if it is not on the general page]. I am not
sure if this
> may be an issue, but also run netdiag on the Windows 2003 server looking
for any
> failed tests that may indicate a problem with it's computer account/secure
channel
> that may also be causing the problem. -- Steve
>
> http://support.microsoft.com/default...en-us%3B321708
>
> "Mike" <(E-Mail Removed)> wrote in message
> news:28983D92-BC2F-4D75-8005-(E-Mail Removed)...
> > I have a user using EFS to protect some sensitive information on a
shared drive.
> This was working fine until the account password expired and was changed.
The user
> reported that they could open the files, but could not save changes. I had
the user
> remove the encryption from all folders, which was successful and they
could again
> modify the files. We then tried to encrypt the files again, but an error
box is
> displayed stating "The Recovery Policy configured for this system
contains an
> invalid recovery certificate." I deleted thier certificate, and tried to
encrypt the
> files again with the same result.
> >
> > The client computer is running XP Professional, the share is on a
Windows Server
> 2003 server, and the user account is an Active Directory account. Any
input is
> appreciated.
> >
> > Mike
>
>