Fyi, I can confirm this happening in Windows Vista (Business) and Windows 7 Professional in WORKGROUP mode (as both a client and a server). I am not totally sure if this is a Superuser question or a ServerFault question.
So there are two PCs, let's call them C (client) and S (server). Both servers have a user called U with the same password. Both C and S has the same private/public key pair for EFS. S shares a folder F with U given full permission. Also locally, the user U has the full permission on F. Now, U, from C, connects to F at the server S, everything works totally fine. I can read,write, delete files and create/delete folders in S.
Things go weird from here. I encrypt the folder F in S. I can delete/modify files fine (so the files in F decrypted OK). However, U from C, cannot create a folder, or create a file getting Access Denied. But this Access Denied is very special.
- It takes over 10 seconds at C to receive the error and the explorer freezes while trying to create a folder, eventually returning error.
- In S, I can watch the folder created at the same time, and what I see is "New Folder" blinking like crazy and eventually disappearing when the client receives the error. i.e. it's created and deleted in a really rapid manner.
What I do not understand is that permissions look fine, I can modify/delete files, and it looks like there is no problem with EFS because I can read/write files fine. Yet it fails to create a file or a folder.
Any help is appreciated.
Thanks, wbkang
-
Hi wbkang, You've stated that "Both servers have a user called U with the same password". Does that mean two local accounts with same password? In that case, you may have to export private key for U from S and import it to C. Having same password doesn't create identical pri/pub key pairs
wbkang : Hi, I did import the same key to both accounts in the individual machines. The real problem looks like that while the client can create a file in the server, when it tries to set the encryption property it subsequently fails. I am still not sure why. I ended up resorting to full-disk encryption methods...From BlueGene -
I don't know what exact problem you are experiencing, but I was under the impression that EFS worked at the NTFS level, so encryption/decryption should be handled by the server (using local or domain user accounts), not by the client...
In you scenario, user U from C (let's call it "UC" for clarity) authenticates to S and it's automatically mapped to S's local user U (let's call it "US"); this is the user account which actually encrypts/decrypts files, using its own certificate; whatever certificate could have user UC on computer C really shouldn't matter.
Am I wrong?
wbkang : You are correct. It looks like it's some random limitation that UC who's acting as US cannot set the encryption property of a file.From Massimo
0 comments:
Post a Comment