Discussion:
Can no longer encrypt files
(too old to reply)
Mike
2004-01-06 19:31:18 UTC
Permalink
I have a user using EFS to protect some sensitive information on a shared drive. This was working fine until the account password expired and was changed. The user reported that they could open the files, but could not save changes. I had the user remove the encryption from all folders, which was successful and they could again modify the files. We then tried to encrypt the files again, but an error box is displayed stating "The Recovery Policy configured for this system contains an invalid recovery certificate." I deleted thier certificate, and tried to encrypt the files again with the same result.

The client computer is running XP Professional, the share is on a Windows Server 2003 server, and the user account is an Active Directory account. Any input is appreciated

Mike
Star Fleet Admiral Q
2004-01-07 02:19:19 UTC
Permalink
It is saying the certificate for the "Recovery Agent" is invalid, not
the actual account doing the Encryption. If on a domain, when running
Win2k, the designated recovery agent was the default "Domain Admin", WinXP
there is not designated recovery agent, unless on a Win2k3 domain, which I
believe requires you to designate a recovery agent.
I believe all the Hoopla about files getting encrypted and then the
encryption key certificate gets corrupted and or destroyed (due to reformat
and install on the workstation) and no recovery agent was designated
prompted these changes.
Post by Mike
I have a user using EFS to protect some sensitive information on a shared
drive. This was working fine until the account password expired and was
changed. The user reported that they could open the files, but could not
save changes. I had the user remove the encryption from all folders, which
was successful and they could again modify the files. We then tried to
encrypt the files again, but an error box is displayed stating "The Recovery
Policy configured for this system contains an invalid recovery
certificate." I deleted thier certificate, and tried to encrypt the files
again with the same result.
Post by Mike
The client computer is running XP Professional, the share is on a Windows
Server 2003 server, and the user account is an Active Directory account. Any
input is appreciated.
Post by Mike
Mike
Drew Cooper [MSFT]
2004-01-07 23:04:18 UTC
Permalink
Yup - that explains the decision in part. RAs also don't make a lot of
sense for stand-alone machines - probably only one user anyway. RAs make
more sense in domains in a larger org.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Star Fleet Admiral Q
It is saying the certificate for the "Recovery Agent" is invalid, not
the actual account doing the Encryption. If on a domain, when running
Win2k, the designated recovery agent was the default "Domain Admin", WinXP
there is not designated recovery agent, unless on a Win2k3 domain, which I
believe requires you to designate a recovery agent.
I believe all the Hoopla about files getting encrypted and then the
encryption key certificate gets corrupted and or destroyed (due to reformat
and install on the workstation) and no recovery agent was designated
prompted these changes.
Post by Mike
I have a user using EFS to protect some sensitive information on a shared
drive. This was working fine until the account password expired and was
changed. The user reported that they could open the files, but could not
save changes. I had the user remove the encryption from all folders, which
was successful and they could again modify the files. We then tried to
encrypt the files again, but an error box is displayed stating "The Recovery
Policy configured for this system contains an invalid recovery
certificate." I deleted thier certificate, and tried to encrypt the files
again with the same result.
Post by Mike
The client computer is running XP Professional, the share is on a Windows
Server 2003 server, and the user account is an Active Directory account. Any
input is appreciated.
Post by Mike
Mike
Steven L Umbach
2004-01-07 02:23:26 UTC
Permalink
A user changing their own password should not normally cause a problem, while having
their password reset will prevent that user from accessing their encrypted files
which is not happening in this case. Saving/encrypting EFS files requires the user's
and recovery agent's [if configured] certificate. Since you received an error
message about the recovery agent, I would find where that policy is configured for
the server which could be at the domain/OU/local level security policy under security
settings/public key policies/encrypted file system and examine the recovery agent
certificate to make sure that it is indeed a certificate for recovering files and it
is trusted [it should say if it is not on the general page]. I am not sure if this
may be an issue, but also run netdiag on the Windows 2003 server looking for any
failed tests that may indicate a problem with it's computer account/secure channel
that may also be causing the problem. -- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B321708
Post by Mike
I have a user using EFS to protect some sensitive information on a shared drive.
This was working fine until the account password expired and was changed. The user
reported that they could open the files, but could not save changes. I had the user
remove the encryption from all folders, which was successful and they could again
modify the files. We then tried to encrypt the files again, but an error box is
displayed stating "The Recovery Policy configured for this system contains an
invalid recovery certificate." I deleted thier certificate, and tried to encrypt the
files again with the same result.
Post by Mike
The client computer is running XP Professional, the share is on a Windows Server
2003 server, and the user account is an Active Directory account. Any input is
appreciated.
Post by Mike
Mike
Mike
2004-01-07 23:06:39 UTC
Permalink
Thanks for the assistance Admiral and Steven. I was wrapped around the axle chasing a problem with the password change, but by coincidence the DRA certificate expired at the same time.

Mike
Drew Cooper [MSFT]
2004-01-07 23:12:02 UTC
Permalink
Just to add my 2 cents to all of this . . .
I doubt this has anything to do with password change because the user could
still decrypt files. A failure during the change or a password reset would
break DPAPI and EFS couldn't decrypt already-encrypted files. More likely
it was a coincidence that the password was changed when the problem
occurred. Maybe the machine was also rebooted for the first time in a
while? (That's when the LSA picks up any changes in EFS recovery policy.)

The recovery policy as seen by the XP machine is bad. There's a bad
(expired?) cert in it, most likely. If the machine is in a domain and the
DC thinks that it has a good recovery policy, then there is a policy
propagation error - should be lots of events logged on the client saying as
much. If it's a bad policy on the DC, check out the cert(s) in the recovery
policy - click on 'em and see if there are red X's in the cert UI. Removing
bad recovery certs and (if necessary) adding a new one ("cipher /r" at
cmdline) to the policy, then rebooting the client would solve the "it's bad
on the DC" problem.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Steven L Umbach
A user changing their own password should not normally cause a problem, while having
their password reset will prevent that user from accessing their encrypted files
which is not happening in this case. Saving/encrypting EFS files requires the user's
and recovery agent's [if configured] certificate. Since you received an error
message about the recovery agent, I would find where that policy is configured for
the server which could be at the domain/OU/local level security policy under security
settings/public key policies/encrypted file system and examine the recovery agent
certificate to make sure that it is indeed a certificate for recovering files and it
is trusted [it should say if it is not on the general page]. I am not sure if this
may be an issue, but also run netdiag on the Windows 2003 server looking for any
failed tests that may indicate a problem with it's computer account/secure channel
that may also be causing the problem. -- Steve
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B321708
Post by Mike
I have a user using EFS to protect some sensitive information on a shared drive.
This was working fine until the account password expired and was changed. The user
reported that they could open the files, but could not save changes. I had the user
remove the encryption from all folders, which was successful and they could again
modify the files. We then tried to encrypt the files again, but an error box is
displayed stating "The Recovery Policy configured for this system contains an
invalid recovery certificate." I deleted thier certificate, and tried to encrypt the
files again with the same result.
Post by Mike
The client computer is running XP Professional, the share is on a Windows Server
2003 server, and the user account is an Active Directory account. Any input is
appreciated.
Post by Mike
Mike
Loading...