WinXP Encryption Added users "Access denied"

[Rilje]

Hi,

I'm running WindowsXP, SP2 on a LAN w/ a Win2K server acting as domain and
exchange server running small business server 2003. Trying to encrypt files
on server and allow access by multiple users on the network. Using as my
guide the microsoft document:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sharefilesefs.mspx

PC1 user1,PC2 user2 both have r/w access to a shared drive on the server.

As user1(w/admin privileges), from PC1(NOT the server), I encrypt a file on
a shared drive residing on the server.

Then I get on PC2 as user2 and encrypt a test file on PC2 to generate a
certificate/key. I then export the cert to a drive accessible by PC1.

On PC1, I import the cert, and stick it in the Trusted Root Certification
Store.

Next, on PC1, I do a right click-->properties-->advanced and go into the
Details tab and Add user2 from PC2.

Most of the time I can look at the properties of the encrypted file from
both computers/users and see the two users in there under details.*

From PC1,user1, I can see the file contents.
From PC2,user2, I get access denied.

*I have noticed that sometimes when I try to look at the properties for the
encrypted file from PC1 or PC2, it takes a while, and sometimes clicking on
the advanced button takes a really long time (I kiiled the app from task mgr
after 10 minutes) AND causes other people on the network to have problems
accessing their outlook email.

Next, I went thru the same procedure with a file on PC1 which was in a
shared folder with r/w accessibilty for PC2/user2. I saw the same behavior
as above except I can always get the properties and advanced/detail panels
to come up without delay or appreciable network impact, e.g.:

From PC1,user1, I can see the file contents.
From PC2,user2, I get access denied.

In the first case, sharing a file on the server, I can see that there might
be some operating system conflict (Win2K as the server, WinXP as the client)
but in the second case, sharing a file on the Peer PC1, I'm unclued.

Has anyone else seen this behavior or does anyone see what I'm doing wrong?
Thanks.

 

[Guest]

The documentation applies to sharing encrypted files between users who log
onto the same computer--in other words, both users have profiles and EFS
certificates/keys on the same PC. If you want to enable the users to access
those local files from a second computer, you must configure the first
computer to be trusted for delegation and share out the files.

If you want to share files that have been encrypted on a remote server, you
will have more success by using roaming profiles for the users. Configure
the profiles to be roaming, log onto a domain PC as each user and
install/create an EFS certificate for the user (encrypt a file), and then
publish that certificate to the AD (so it can be added to files). When the
user encrypts a file on the remote server for the first time, the server will
use the certificate from the user's roaming profile. Be sure when you are
adding users' certificates to remote files on the server that you are adding
the certificates that are stored in their roaming profiles.

Hope that helps.
Pat

 

[Rilje]

I'm running WindowsXP, SP2 on a LAN w/ a Win2K server acting as domain and
exchange server running small business server 2003.

THanks Pat. I read a microsoft page that suggested using Web Folders
(Network Places) instead of shared folders.

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prnb_efs_hzqx.asp

Apparently, encryption of a Web Folder doesn't require trusting for
delegation or Roaming Users. Sounded great. SO I:

-Created a new Network Place pointing to the folder on the server.
-went into My Network Places, right clicked on the folder, clicked
properties, advanced, then checked the encryption.
-checked encrypt folders and files
-clicked OK. (properties dialog)
-Then my computer hung on the properties window and after a few minutes, it
said "Not Responding" in the title bar.

....Uh Oh

-Then another user went on a lunch break because Outlook was hanging for
her. She had a white screen with a title bar. THis was about 5 minutes
after I clicked OK on the properties dialog.
-So I killed it (My Network Places) in the task manager, and everything on
my task bar disappeared.
-Restarted my computer and after a long delay at login, got in, everything
seemed normal. I could even check my Outlook.
-I tried logging in on the other (lunch break) user's pc using their login,
and it took a long time. Once it let me in, outlook still wouldn't work.
-After about twenty minutes, everybody started having problems getting into
outlook and other server applications started having problems.
-Went to the server, hit ctrlaltdel, and the login took a few minutes to
come up. Once it did, it wouldn't accept the admin password (kept saying it
was the wrong password, can't remember exact message, but looked like
standard msg "The domain couldn't log you on...").
-Did hard reboot of the server, everything seems normal.
-Checked the folder I tried to encrypt, none of it seems to be encrypted.

I noticed similar behavior before when I tried to encrypt shared folders.
The first time I encrypted a shared folder on the server from my computer,
it encrypted the folder and there was no noticable network impact. The
second time, the events described above after "...Uh Oh" occured. The same
user that had the initial outlook problem was the first to have a problem
(we have the same last name..). At the time, I harbored the dim hope that
this was merely coincidence.

Another symptom is when I go to the successfully encrypted shared folder and
do a right click, properties on the file, it takes a while to give me the
properties screen. Then I click on Advanced, and it hangs. I find that if
I quickly kill the app., no further network problems manifest.

Anywhere you can direct me to troubleshoot this? THanks in advance.

 

[Guest]

I have had some, but not much, experience encrypting files on WebDAV shares
and never saw what you experienced. (What a day!) Perhaps your WebDAV share
is not configured as it needs to be--though it sounds like you're familiar
with that setup. Here's a couple of links that might help:

http://www.microsoft.com/technet/pr...IIS/844f5e01-4b9e-4dac-897e-2a0bb33f28af.mspx

http://msdn.microsoft.com/library/d...cewebsr/html/ceconConfiguringWebDAVServer.asp

Sorry I can't give you a definite answer on why it didn't work. Maybe
someone else out there has some ideas. Good luck.

Thanks.
Pat