sharing encrypted files in a XP workgroup environment

[Guest]

Hello,

I"m having some issues shaing encrypted files along xp pro machines in
workgroup. I have exported everyones certificate and key info to the machine
hosting the encrypted files and have set a dra on the machine hosting the
file. I am testing with a simple .txt file with no avial. I can change the
access permissions and even set new users certificates from a remote machine,
however when I try to open or copy i get the access denied error message. Any
help would be really appreciated.

Aaron

 

[Steven L Umbach]

Are you sure you have the users private keys on the computer into the user's
profile logging on as the user? That would require that you export to a
password protected .pfx file and not a .cer file. The links below are worth
reviewing. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308991&sd=tech

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prnb_efs_apgp.asp

 

[Guest]

It is not possible to share encrypted files between Windows XP machines in a
workgroup environment. You're right that an AD environment is required and
the machine acting as server must be trusted for delegation.

Here's a resend of the link previously sent
http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prde_ffs_phvy.asp
Look under "Remote EFS Operations in a File Share Environment"

Thanks.
Pat

 

[Guest]

Thanks for looking into it Steve,

Yes, i've created the password pfx files that are exported then imported to
the machine acting as the server. The thumbprint id's on the imported certs
do match the thumprints on the other machines with the corresponding logon. I
think they keys are ok, upon reading and reading and reading i'm starting to
wonder if the problem lies in the peer to peer enviroment. The MS articles
hint on using it in a workgroup but don't provide a how to i think its for
more of a security statement on how keep it locked down in a workgoup.,
everything in the how to pages are for a AD Domain or standalone machine. In
the AD senarios the server must be trusted for delegaion in order to
impersonate the remove computer. Is that possible in a workgroup? I have not
been able to find much info on it. I am assuming that if one station can't
trust the other, or if the staition is not capable of impersonation another,
that it is not possible for this to work in a workgroup senario. My whole
intention for the little project is to secure a customer database on a
network, encrypt the files transparently so no one knows that its encrypted
so that the customer data base can't be used off the network (employee going
home and taking the data base if he/she quits to go to a diff company) I know
that if they export there cert to file this plan goes out the window, but i'm
working with plumers... they have trouble just making a cd..... exporting a
cert shouldn't be an issue, especially if they don't know its encrypted to
begin with.

Any more help would be really cool.

 

[Steven L Umbach]

It should work if users all logon locally to the computer where the EFS
files are located but most likely there is no way to make it work for
network logon in a workgroup. One reason probably is because in a workgroup
each user account has a different SID on each computer even though the user
name is the same thus the network user is not able to retrieve the EFS
certificate/private key from the user profile on the computer with the
share. Trusted for delegation is needed so that the computer can
impersonate the user to obtain a certificate/private key for the user and
could not be done without the computers being domain members. --- Steve