Seasanctuary
June 1st 04, 04:50 PM
I'm trying to setup a server share (W2k3 Server Standard) for
encrypted files accessible by a group of people with roaming profiles.
The client machines are all XP Pro.
This went fine for six of the users, but I'm having multiple EFS
certificate issues with the seventh user/machine I'm setting up (Yes,
that means multiple certificate hashes). I botched the initial setup
somehow for this user, and want to eliminate all EFS certificates on
his local machine and on the server with the share. Then, I want to
be able to request a single new EFS certificate and have it remain
just that one certificate.
My cleanup method is missing something, can anyone identify it?
* I remove the user from roaming profiles and delete the roaming
profile directory on the server.
* I remove the user's "Documents and Settings" folder from the server.
* I revoke all CA issued certificates for the user in question.
* I clean off all such certificates from the user's "user" and "local
machine" certificates.
* I clean off all such certificates from the server's "local machine"
certificates.
* Reboot, check for stray certificates until I can reboot with no
certificates appearing.
At this point, the old certificates should no longer exist...but there
is still something left I'm missing.
Then, I re-enable roaming profiles (and confirm it's in
effect)...request an EFS User certificate from the domain controller's
CertSrv (the domain controller is not the file sharing server I've
been referring to thus far)...and finally attempt to reboot the local
machine or encrypt a file on the server share.
And, blam...I end up with two active certificates again...or the
server encrypts the shared file with an already-revoked certificate.
Any tips on getting to a single active EFS certificate for this
user...and having the sharing server not encrypt files with
already-revoked certificates?
Thank you,
Seasanctuary
encrypted files accessible by a group of people with roaming profiles.
The client machines are all XP Pro.
This went fine for six of the users, but I'm having multiple EFS
certificate issues with the seventh user/machine I'm setting up (Yes,
that means multiple certificate hashes). I botched the initial setup
somehow for this user, and want to eliminate all EFS certificates on
his local machine and on the server with the share. Then, I want to
be able to request a single new EFS certificate and have it remain
just that one certificate.
My cleanup method is missing something, can anyone identify it?
* I remove the user from roaming profiles and delete the roaming
profile directory on the server.
* I remove the user's "Documents and Settings" folder from the server.
* I revoke all CA issued certificates for the user in question.
* I clean off all such certificates from the user's "user" and "local
machine" certificates.
* I clean off all such certificates from the server's "local machine"
certificates.
* Reboot, check for stray certificates until I can reboot with no
certificates appearing.
At this point, the old certificates should no longer exist...but there
is still something left I'm missing.
Then, I re-enable roaming profiles (and confirm it's in
effect)...request an EFS User certificate from the domain controller's
CertSrv (the domain controller is not the file sharing server I've
been referring to thus far)...and finally attempt to reboot the local
machine or encrypt a file on the server share.
And, blam...I end up with two active certificates again...or the
server encrypts the shared file with an already-revoked certificate.
Any tips on getting to a single active EFS certificate for this
user...and having the sharing server not encrypt files with
already-revoked certificates?
Thank you,
Seasanctuary