1

Fyi, I can confirm this happening in Windows Vista (Business) and Windows 7 Professional in WORKGROUP mode (as both a client and a server). I am not totally sure if this is a Superuser question or a ServerFault question.

So there's a Client PC and Server. Both machines have a user account with the same password. Both client and server have the same private/public key pair for EFS. Server shares a folder with the User given full permission. Also locally, the user has the full permission on the folder. Now the user on the client PC connects to the folder on the server, and everything works totally fine. I can read, write and delete files, and create/delete folders on the share.

Things go weird from here. I encrypt the folder on the server. I can delete and modify files fine (so the files decrypted OK). However the user from the client PC cannot create a folder or create a file - getting Access Denied. But this Access Denied is very special.

  1. It takes over 10 seconds on the client to receive the error and the explorer freezes while trying to create a folder, eventually returning error.
  2. On the server, I can watch the folder created at the same time, and what I see is "New Folder" blinking like crazy and eventually disappearing when the client receives the error. i.e. it's created and deleted in a really rapid manner.

What I do not understand is that permissions look fine, I can modify/delete files, and it looks like there is no problem with EFS because I can read/write files fine. Yet it fails to create a file or a folder.

Any help is appreciated.

Thanks, wbkang

Chris Thorpe
  • 9,953
  • 23
  • 33
wbkang
  • 121
  • 4
  • 2
    Can you please restate your question without all the abbreviations? There is no need to do that, and makes it harder for us to help you because well it's just really hard to read - to the point i'm afraid to edit them out for fear of losing important points to your question. – Zypher Dec 22 '09 at 06:52
  • The abbreviations "F" with "me". I can follow, but it leaves my head spinning. Although I *can* edit it, I'm going to leave the editing up to the original poster. – Evan Anderson Dec 22 '09 at 14:04
  • Hi wbkang, You've stated that "Both servers have a user called U with the same password". Does that mean two local accounts with same password? In that case, you may have to export private key for U from S and import it to C. Having same password doesn't create identical pri/pub key pairs – BlueGene May 25 '10 at 19:53
  • Cleaned the question up. – Chris Thorpe Apr 09 '11 at 13:01
  • Just posted something very similar, and still no clear answer. See here: http://serverfault.com/questions/297069/efs-over-network – Jimmy D Aug 03 '11 at 13:24

2 Answers2

0

You've stated that "Both servers have a user called U with the same password". Does that mean two local accounts with same password? In that case, you may have to export private key for U from S and import it to C. Having same password doesn't create identical pri/pub key pairs

BlueGene
  • 2,241
  • 9
  • 30
  • 33
  • Hi, I did import the same key to both accounts in the individual machines. The real problem looks like that while the client can create a file in the server, when it tries to set the encryption property it subsequently fails. I am still not sure why. I ended up resorting to full-disk encryption methods... – wbkang May 26 '10 at 23:47
0

I don't know what exact problem you are experiencing, but I was under the impression that EFS worked at the NTFS level, so encryption/decryption should be handled by the server (using local or domain user accounts), not by the client...

In you scenario, user U from C (let's call it "UC" for clarity) authenticates to S and it's automatically mapped to S's local user U (let's call it "US"); this is the user account which actually encrypts/decrypts files, using its own certificate; whatever certificate could have user UC on computer C really shouldn't matter.

Am I wrong?

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • You are correct. It looks like it's some random limitation that UC who's acting as US cannot set the encryption property of a file. – wbkang May 26 '10 at 23:48