EFS and Certificate Services

[Guest]

Ok I'm hopping that this is a bug in the software but in reality its realy
bugging me.

I created a Enterprise Root CA with a Enterprise Subordinate CA for issuing
EFS certificates. The Root CA is offline. The client, a 2000 pro machine,
is in the Domain and the user is a normal user of the domain (domain users)
and is in the administrators group on the local machine.

When the user encryptes a file a certificate from the Subordinate CA is
issue. I check the thumbprint of the file and the certificate which matched.
So far..so good. Then 5 minutes or so later a second certificate for EFS is
issued from the CA. This certificate has a different thumbprint and is never
used for EFS. Why the two certs? and how can I get only one!

PLEASE HELP!!!

 

[Brian Komar]

Answers inline:

Ok I'm hopping that this is a bug in the software but in reality its realy
bugging me.

I created a Enterprise Root CA with a Enterprise Subordinate CA for issuing
EFS certificates. The Root CA is offline.

An Enterprise Root CA computer cannot be offline. An enterprise Root CA
must be a domain member, and integrates with AD, not allowing it to be
removed from the network.

The client, a 2000 pro machine, is in the Domain and the user is a normal user of the domain (domain users)
and is in the administrators group on the local machine.

No need to be in the local Administrators group

When the user encryptes a file a certificate from the Subordinate CA is
issue. I check the thumbprint of the file and the certificate which matched.
So far..so good. Then 5 minutes or so later a second certificate for EFS is
issued from the CA. This certificate has a different thumbprint and is never
used for EFS. Why the two certs? and how can I get only one!

The best practice is to issue the certificates *before* any encryption
is attempted. I would recommend a custom v2 certificate template that
implements key archival. Ensure that it is deployed using CAPICOM before
attempting encryption.

Where are they doing the encryption? If they are issued a single
certificate, the client should not request another certificate unless
encryption is attempted on a remote server. In this case, another cert
would be requested for storage in the user's profile on the remote
server.

 

[Guest]

Thanks for the responce.

Why not take the root offline? Isn't it best practice to take the root
offline after it has given it's cert to the sub. CA?

Also this is a Windows 2000 CA so we can not do V2 certs.

The user is encrpting a single file on their local machine which is joined
to the domain. A EFS cert. is issued from the Sub. CA and 1 minute- 5
minutes later a second EFS cert is issued. The first cert. is the one that
is used for all encryption. The second one is not used.

Question is why the two certs?

I can't beleive this is the first time this has happended. I called MS and
they were stumped on why this was happening. So far they say its a bug and
do not know if there is a workaround.

Come on I can't be the only one that is trying to use a CA to issue EFS
certs on Windows 2000.

 

[Paul Adare]

microsoft.public.win2000.security news group, =?Utf-8?B?

Why not take the root offline? Isn't it best practice to take the root
offline after it has given it's cert to the sub. CA?

A standalone root should be taken offline yes, not an Enterprise Root.
By definition, an Enterprise Root needs access to Active Directory and
therefore needs to remain online.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

 

[Guest]

I thought the root CA was suppose to be take offline for security reasons.
Is it then better to deploy a standalone root CA with a enterprise sub. CA?
Is that even possible?

 

[Paul Adare]

microsoft.public.win2000.security news group, =?Utf-8?B?

I thought the root CA was suppose to be take offline for security reasons.
Is it then better to deploy a standalone root CA with a enterprise sub. CA?
Is that even possible?

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/security/ws3pkibp.mspx

or

http://tinyurl.com/28cjx

I'd strongly suggest that you look into taking some training. A PKI that
is improperly deployed and secured is worse than not having one at all.

http://www.microsoft.com/learning/syllabi/en-us/2821Afinal.mspx

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

 

[Guest]

Paul,

I appreaciate your concern for my training but I beleive that I have all the
training I need. I was only looking for clarification on a few items and for
some reason the Enterprise root CA slipped my mind a little.

I think it is because I'm battleing this problem with multiple certificates
being issued. At this time I can reproduce the problem on a enterprise CA
(yes its online) issuing certs to clients. Yes I also know that Enterprise
CA's should not be issuing certs to clients. Again this is only testing.
Anyway the clients recieve multiple EFS certs from the CA. Looking at the
Certificate requests the clients is requesting a EFS cert...which the ca
gives to the clients then the client requests another.

 

[Brian Komar]

Paul,

I appreaciate your concern for my training but I beleive that I have all the
training I need. I was only looking for clarification on a few items and for
some reason the Enterprise root CA slipped my mind a little.

I think it is because I'm battleing this problem with multiple certificates
being issued. At this time I can reproduce the problem on a enterprise CA
(yes its online) issuing certs to clients. Yes I also know that Enterprise
CA's should not be issuing certs to clients. Again this is only testing.
Anyway the clients recieve multiple EFS certs from the CA. Looking at the
Certificate requests the clients is requesting a EFS cert...which the ca
gives to the clients then the client requests another.

Where are you seeing the second certificate, in the Certification
Authority console or in the User's Certificate console.

I am wondering whether the certificates are issued to the same user
profile, or to multiple computers.

Brian

 

[Guest]

--
RS
MCSE, MCP +I MCP

Where are you seeing the second certificate, in the Certification
Authority console or in the User's Certificate console.

I am wondering whether the certificates are issued to the same user
profile, or to multiple computers.

Brian
--
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian

 

[Guest]

Brian,

The certificates show up in the Certificate services and are also viewable
from in the users Personal Store.

I called Micrsoft and had a lengthy troubleshooting session with them. This
was their responce

"There was a bug submitted on this issue and the development team is not
going to fix this for Windows 2000. This is however fixed in Windows
XP. I will be sending another email with the response from the
development team. The issue is that there is a bug in the autoenrollment
code
causing it to pull a second certificate unnecessarily. Although 2000
clients cannot use autoenrollment to autoenroll for certificates the code
is still there and some certs are flagged as available for
autoenrollment. ACRS (Automated Certificate Request Settinggs) is used by
2000.
EFS has created an ACRS but Autoenrollment doesn't realize that a
certificate has been enrolled for already. This is what is causing the
second certificate to appear.

Thank you and look forward to hearing from you.

Then this responce from the development team

"The request that the certificate auto enrollment behavior for Windows
2000 be changed has been reviewed by senior Microsoft support
professionals, escalation engineers, developers, and managers. We
understand the
impact this has to your business.

Microsoft assures that there is no loss in functionality on account of
the second certificate behavior. This behavior is present in Windows
2000 from day one. This behavior does not occur in XP or Server 2003
where the AE (auto enrollment) code has been rewritten. There are valid
usage scenarios on Win2000 today where customers benefit from the existing
behavior. To fix this issue in Win2K properly, without breaking any
existing customer scenarios or applications, we have to back port the new
code from WinXP which requires significant development and testing
resources. This would result in significant code change and creates a risk
of regressions to very a critical code path.

Given the details above, we regret that we are not be able to make this
change. Please let us know if you have further questions.