Windows – EFS Recovery Agent not working

encrypting-file-systemencryptionwindows

I know EFS data recovery has been discussed so many times in the forums but I could not find anything useful in the other threads as I believe I have followed all the required steps but still cannot get EFS recovery agent to work.

I have a Client1 (Win 8.1) and a DC1 (Windows Server 2012 R2) under beta.com domain.

DC1 is a CA server as well as a domain controller.
1.I logged into DC1 as beta.com\Administrator which is the Domain Administrator account.

2.I duplicated the EFS Recovery Agent template on the DC1 and published it into Active Directory.

3.Then I edited the Default Domain Policy GPO and under Computer Settings\Policies\Windows Settings\Security Settings\Public Key Policies I right clicked Encrypting File System and selected Create a Data Recovery Agent and a new file recovery certificate was generated for the Administrator account.

4.I exported the newly-created Recovery Agent certificate and then logged into Client1 as beta.com\Administrator and imported it.

5.I then logged off from Client1 and logged back in using a different account beta.com\johns and encrypted a folder (with a text file inside) using EFS. (The folder address on local disk is C:\Reports)

6.Then I logged back into Client1 again using beta.com\Administrator but I am unable to open the file inside the folder and I get an Access is denied message.

It is very strange to get an "Access is denied" message because on the text file when I right click and click Properties -> Advanced -> Details, under the Recovery Certificates, the Administrator account's certificate is listed and its thumbprint corresponds to the same recovery certificate which I created in step 3. But I am still unable to access the file.

Do you have any idea why? Am I missing something?

Thanks in advance.

Best Answer

We have had issues with encrypting files on a fileshare where we would lose access to the files after a reboot. Rebooting clears the local certificate cache on the server.

Apparently we solved this by trusting the server computer for delegation. This is done in Active Directory, under the server computer's object - there is a pane called "Delegation". By default all computers are not trusted for delegation, but by setting "Trust this computer for delegation to any service (Kerberos only)" we were able to access encrypted files across our filshare even after a reboot.

Related Topic