|
Posted by Brian Komar on May 4, 2007, 3:09 pm
Please log in for more thread options
You need to get your head around how EFS works.
EFS is local file encryption (always). When you connect to a server using
SMB connections, the file is transferred to/from the server in the clear.
The encryption/decryption takes place at the server.
In your case, you added the incorrect EFS certificate in step 4. You would
need to add the EFS certificate that Pascal would use *on* computer XP_B.
When Pascal connects over the network to XP_B, the computer account for
XP_B impersonates Pascal, and generates a new EFS certificate for Pascal.
Even with a certificate authority, you would run into the same issue.
I recommend that you investigate Certificate Roaming Service on
microsoft.com
Brian
On Fri, 04 May 2007 15:17:59 +0200, Pascal wrote:
> Hello,
>
> I have test something but I am not sure that I am right !
>
> I have two computers XP_A and XP_B member of an active directory domain
> with no certificate authority.
> There are two users : Pascal and Isabelle.
>
> 1. Pascal logs on XP_A and encrypt a file with EFS.
> 2. Pascal exports his certificate through Internet explorer (with or
> without the private key, the issue will be the same)
> 3. Now, on XP_B, an admin install the Pascal certificate on the
> computer (in the "Trusted People" store).
> 4. Isabelle logs on XP_B and encrypts a file with EFS, then she adds
> the Pascal certificate to authorize him to access this encrypted file.
> 5. Pascal is connected to XP_A and opens the encrypted files for which
> his certificate is attached on XP_B,but he still has an access denied.
>
> Question : Why Pascal is not able to access this file from the network
> ? (From XP_A to XP_B)
>
> More generally, if I export an EFS user certificate from one computer
> to another, can I access the encrypted file through the network.
>
> With a certificate authority, I think there will be no problem but I
> would like to understand why like this it is not working.
>
> Thank you
| 
XML Sitemap