Click here to get back home

Problems setting up the Recovery Agent
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Problems setting up the Recovery Agent techo crat 12-19-2006
Posted by techo crat on December 19, 2006, 1:26 pm
Please log in for more thread options
 I'm having problems setting up the Recovery Agent(RA) to work in my
domain. I would like to know if I'm missing any steps.
I have a 2003 domain and installed Windows CA on the DC machine.

I created a domain user which I will use primarily as a RA. I logged
into the CA machine as the RA and exported its certificate.
I relogged back into the machine as the domain admin and imported the
certificate so that it is a part of the Recovery Policy of the domain.
I imported the cert by going to the Group Policy Editor/Computer
Configuration/Windows Setting/Security Setting/Public Key
Policies/Encrypting File System. In the Add RA wizard, 2nd screen where
I select the user profile, after I finding the certificate file, it
displays User: USER_UNKNOWN. I don't know whether this indicates that
something is wrong already.

After completing this process, I see the Group Policy Editor under
Encrypting File System, my newly added RA is displayed.

Next, I try to test if this RA works by going on a workstation and
logging in as a normal domain user and encrypting a dummy text file. I
relog on as the RA, and import the cert of the RA into this machine and
then try to open up the dummy file. But failed. I then try to import
the private key file of the RA and then open the file and it still
fails. Both times it displays "Access is Denied" message.

I would like to know what I'm doing wrong.

Thanks a lot for any help


Posted by Roger Abell [MVP] on December 23, 2006, 11:34 am
Please log in for more thread options
 Just wanting to clarify one thing about your test scenario . . .
When attempting to access the EFS protected file, logged in as
the RA, and you receive "Access Denied" , the RA account does
have permissions at the NTFS level (was not stated).
That same message results from lack of NTFS permissions or
absence of the private key

> I'm having problems setting up the Recovery Agent(RA) to work in my
> domain. I would like to know if I'm missing any steps.
> I have a 2003 domain and installed Windows CA on the DC machine.
>
> I created a domain user which I will use primarily as a RA. I logged
> into the CA machine as the RA and exported its certificate.
> I relogged back into the machine as the domain admin and imported the
> certificate so that it is a part of the Recovery Policy of the domain.
> I imported the cert by going to the Group Policy Editor/Computer
> Configuration/Windows Setting/Security Setting/Public Key
> Policies/Encrypting File System. In the Add RA wizard, 2nd screen where
> I select the user profile, after I finding the certificate file, it
> displays User: USER_UNKNOWN. I don't know whether this indicates that
> something is wrong already.
>
> After completing this process, I see the Group Policy Editor under
> Encrypting File System, my newly added RA is displayed.
>
> Next, I try to test if this RA works by going on a workstation and
> logging in as a normal domain user and encrypting a dummy text file. I
> relog on as the RA, and import the cert of the RA into this machine and
> then try to open up the dummy file. But failed. I then try to import
> the private key file of the RA and then open the file and it still
> fails. Both times it displays "Access is Denied" message.
>
> I would like to know what I'm doing wrong.
>
> Thanks a lot for any help
>



Posted by techo crat on December 27, 2006, 3:36 pm
Please log in for more thread options
To be more clear on my problem I'll list some other steps/info I didn't
mention.
I installed the Entreprise CA of Microsoft.
I had also given the new Recovery Agent "Modify" rights on the
encrypted file.
After installing the Entreprise CA, I added the Recovery Agent to the
Recovery Policy.
A side note, I also created a recovery policy for the Domain Admin. So
presently the Recovery Agent and the Domain Admin has a Certificate
issued by the CA. But I also kept the self signed Certificate for the
Domain Admin (which was created the first time I logged into the DC)

In the properties of the encrypted file, in the "Data Recovery Agents
For This File As Defined By Recovery Policy:",
I could see the 3 Recovery Agents, mentioned above, for this file.
Even the certificate thumbprint of each RA in the properties of the
encrypted file and in the Group Policy Editor were identical.
So I don't know what is missing.

Thanks for any help.


Posted by Roger Abell [MVP] on December 27, 2006, 7:23 pm
Please log in for more thread options
OK, let's focus on this step
<quote>
I relog on as the RA, and import the cert of the RA into
this machine and then try to open up the dummy file.
</quote>
I assume the workstation is XP, and that by import the cert
you did mean the private key from the pfx was also imported.
In XP when you do this you are offered to have a prompt
on use, but for decryption to work when importing the key
you must select to just have the key used without prompting.
Did you do it that way ?

> To be more clear on my problem I'll list some other steps/info I didn't
> mention.
> I installed the Entreprise CA of Microsoft.
> I had also given the new Recovery Agent "Modify" rights on the
> encrypted file.
> After installing the Entreprise CA, I added the Recovery Agent to the
> Recovery Policy.
> A side note, I also created a recovery policy for the Domain Admin. So
> presently the Recovery Agent and the Domain Admin has a Certificate
> issued by the CA. But I also kept the self signed Certificate for the
> Domain Admin (which was created the first time I logged into the DC)
>
> In the properties of the encrypted file, in the "Data Recovery Agents
> For This File As Defined By Recovery Policy:",
> I could see the 3 Recovery Agents, mentioned above, for this file.
> Even the certificate thumbprint of each RA in the properties of the
> encrypted file and in the Group Policy Editor were identical.
> So I don't know what is missing.
>
> Thanks for any help.
>



Posted by techo crat on December 29, 2006, 12:30 pm
Please log in for more thread options
Yes the machine is an XP. And your solution worked for me. I can now
decrypt. The problem was selecting the prompt option when importing the
PFX.
Do you know what use the prompting option is for then?? Doesn't seem
like it is useful.

Thanks alot for your help Roger especially since it is the holiday
season.
Happy holidays and a great new year.
Kevin


Similar ThreadsPosted
Unable to find Key Recovery Agent template!!! July 8, 2005, 11:28 am
How to add a domain user as a Data Recovery Agent June 30, 2006, 1:48 pm
Data Recovery Agent exspired in Windows 2003 AD May 17, 2006, 7:45 am
Problems setting up automatic certificate requests July 25, 2005, 8:39 am
CA Services enrollment agent and templates January 10, 2008, 11:02 am
Cannot install DPM agent on Windows server 2003 (Exchange and IIS) June 26, 2007, 12:23 pm
Key Recovery August 26, 2005, 3:52 am
NT4 user account recovery June 3, 2005, 6:29 am
invalid recovery certificate January 12, 2007, 5:17 pm
EFS problems January 4, 2007, 2:15 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap