Troubleshooting EFS


In some situations EFS might not operate as expected. Some EFS issues can be resolved very simply, while others require complex high-level administrative solutions. Understanding how EFS works is the basis for resolving EFS issues. This section presents some common situations that might arise with EFS and the most likely causes for these problems.

For more information about troubleshooting EFS, see WindowsXP Professional Help and Support Center.

Unable to Encrypt Files

If you find that you are unable to encrypt files or folders, one of the following might be the cause:

  • The file is not an NTFS volume.

  • You do not have Write access to the file.

  • If you are having trouble encrypting a remote file, check to see that your user profile is available for EFS to use on that computer (this typically means having a roaming user profile), make sure the remote computer is trusted for delegation, and make sure your account is configured to enable delegation. Sensitive accounts are not enabled for delegation by default, so users like Enterprise Administrator might not be able to encrypt or decrypt files remotely.

    Note 

    Sometimes users think that a file is not encrypted because they can open it and read the file. You can verify whether a file is encrypted by checking the file s attributes.

For more information about formatting volumes as NTFS, see WindowsXP Professional Help and Support Center.

For more information about the encryption process, requirements, and procedures, see Encrypting and Decrypting By Using EFS earlier in this chapter.

For more information about remote EFS operations, see Remote EFS Operations in a File Share Environment earlier in this chapter.

Unable to Decrypt Remote Files

The following are the major causes of and solutions for remote decryption failure (usually indicated by an Access is denied message):

  • The computer on which the encrypted file is stored is not trusted for delegation. Every computer that stores encrypted files for remote access must be trusted for delegation. To check a computer s delegation status, open the computer s properties sheet in the Active Directory Users and Computers snap-in.

  • The user account that EFS needs to impersonate cannot be delegated. To check a user s delegation status, open the user s Properties sheet in the Active Directory Users and Computers snap-in.

  • The user s profile is not available. Using roaming user profiles is the solution for this problem.

  • One of the user s profiles is available, but it does not contain the correct private key. Using roaming user profiles is the solution for this problem.

For more information about the decryption process, requirements, and procedures, see Encrypting and Decrypting By Using EFS earlier in this chapter.

For more information about remote EFS operations, see Remote EFS Operations in a File Share Environment earlier in this chapter.

Unable to Open Encrypted Files

If you are unable to open an encrypted file, you might not have the correct EFS certificate and private key for the file. If the file is old, the public key and private key set might no longer be available. Although expired certificates and private keys are archived, users can delete archived certificates and private keys, or they can be damaged. If this has occurred, you can recover the file.

This problem can also occur when a computer that previously operated in stand-alone mode is now a member of a domain. The file might have been encrypted by a local self-signed certificate issued by the computer, but the CA designated at the domain level is now the issuing authority.

To access a file that was encrypted while the computer was in stand-alone mode, log off, and then log back on to the local computer instead of the domain.

The same conditions apply for encrypting and decrypting remote files. The user s profile must be available for EFS to use, the computer must be trusted for delegation, and the user s account must be enabled for delegation.

For information about how to recover files, see Recovering Encrypted Files earlier in this chapter.

For more information about encryption and decryption processes, requirements, and procedures, see Encrypting and Decrypting By Using EFS earlier in this chapter.

For more information about remote EFS operations, see Remote EFS Operations in a File Share Environment earlier in this chapter.

Determining Whether the Certificate Used to Encrypt a File is Still Available for Decryption

The public key certificate is not used for decryption because it does not contain the private key. However, if a file cannot be decrypted, you can determine who is authorized to access the file and which certificate and public key were used to encrypt the file. This information is listed in the Encryption Details dialog box under a file s advanced properties. When you determine whether the user has been authorized to access the file, you can determine what certificate was used to encrypt the file. Then you can determine whether the certificate is still available. If the certificate is not available, the private key will not be available, and the user will not be able to decrypt the file. If the certificate is available, the user might have exported the private key and deleted it from the computer.

To view authorized users and certificate thumbprint information

  1. Right-click the encrypted file and then click Properties.

  2. On the General tab, in the Attributes section, click Advanced.

  3. In the Advanced Attributes dialog box, click Details to open Encryption Details. Users who are authorized to access the file are listed under Users Who Can Transparently Access This File. The thumbprint for the certificate used to encrypt the file is listed with the name of the authorized user.

    Note that any data recovery agents are listed as well.

To compare the certificate thumbprint associated with the encrypted file with other certificate thumbprints

  1. Open the Certificates snap-in and locate the user s certificates.

  2. Double-click a certificate and then click the Details tab. The certificate thumbprint is one of the listed details.

  3. Compare the certificate thumbprint associated with the encrypted file with the thumbprints of each of the user s EFS certificates.

Determining Whether the Access Problem Is Related to the Availability of the Necessary Private Key

If the user who wants to access the file is not listed in Users Who Can Transparently Access This File, the user has not been authorized to access the file or has been deleted from the authorized user list. You can then determine whether the user is supposed to be authorized to access the file.

If the user is already authorized to access the file, you can compare the certificate thumbprint listed next to the users name with thumbprints of the user s certificates in the Certificates snap-in.

If the EFS certificate used to encrypt the file is available, determine whether the user has the necessary read and write permissions for the file. If the user does have read and write permission, it is likely that the private key was exported and deleted from the computer.

If the necessary private key is not available and cannot be imported, you can use the Encryption Details dialog box to determine whether any other users or any data recovery agents are authorized to access the file. If so, you can have any of these authorized users decrypt the file.

If the necessary private key is not available and cannot be imported, and there are no other authorized users or any data recovery agents, the file cannot be recovered. Determine whether the user s profile is available for restore from backup.

Encrypted File Is Unencrypted When Copied or Moved

Encrypted files are decrypted when they are copied or moved to non-EFS capable volumes. If the user copies or moves files by using My Computer, the system provides a warning to the user if the destination volume is not EFS capable. If the user copies or moves files by using the copy /d command or the xcopy /g command, the files will be decrypted on the target volume with no warning that this has occurred.

For more information about changes to encryption status when files are copied or moved, see Remote EFS Operations In A File Share Environment earlier in this chapter.

Virus Check Program Cannot Check All Files

When your virus check program tries to check all the files on your hard disk, you get an Access is denied error message. Your virus check program can only read files that have been encrypted by you. If other users have encrypted files on your hard disk, access to these files is denied to the virus check program. To perform a virus check for files that have been encrypted by other users, the other users must log on and run the virus check program.

Common Error Messages

While performing EFS tasks, users might encounter error messages. The following are the most common messages that can occur and the possible causes for them.

Access is denied

You might receive an Access is denied message in one of the following situations:

The directory has been disabled for encryption

This message appears if a user tries to encrypt a folder (or files in the folder) in which a Desktop.ini file has been placed with encryption disabled.

The server is not trusted for remote encryption operation

This message might appear if the remote server that stores a file or folder you are attempting to encrypt or decrypt is not trusted for delegation.

The disk partition does not support file encryption

EFS cannot be enabled on a non-NTFS disk partition. To use EFS, the disk partition must be NTFS.

No valid key set

This message typically occurs in remote encryption or decryption operations. It means that EFS could not locate the correct keys for the operation. This is most likely to occur in remote decryption scenarios. EFS needs to locate your user profile and the private key associated with the public key used to encrypt the file s FEK. This error message might occur if the profile cannot be found, or if the profile can be found but does not contain the correct private key.




Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338
BUY ON AMAZON

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net