Hi,



I am looged in to a standalone W2K machine as the user who encrypted the

files.  Efsinfo and MMC Certificates have indicated that my certificate

thumbprints are the same.  Efsinfo however states that the user is unknown

even though CN=<myuser>..not sure if that matters.  An intersting side note

is that when I attempt to request a certificate with the same key from my

personal efs certificate I receive an error message stating that the selected

certificate has no private key.  Any help would be appreciated.



TIA,

Robert

When you view your certificate in the mmc snapin for certificates for "user"

and look at the general page it needs to show "you have a private key that

corresponds to this certificate".  If not you will not be able to access the

EFS files with that certificate.  Possibly at one time you exported the

certificate and private key to a password protected .pfx file AND in the

process checked the option to delete the private key?? If that is so, import

the .pfx certificate/private key back into that computer to access the EFS

files. Windows 2000 also requires a Recovery Agent for EFS which is the

built in administrator account for a non domain computer which probably is

what was referenced to as "unknown user". So try logging on as the built in

administrator account to see if that works or importing the domain's RA

certificate/private key from a .pfx file for it.  Efsinfo /r shows RA

information. In a domain the RA can typically be the built in administrator

account for the domain and the best place too look for that certificate

would be on the first domain controller in the domain which may be the pdc

fsmo.  You can not request a certificate with the same private key if the

private key does not exist with the certificate which is why you get that

message.  FYI the EFS certificate/private key live in the users profile. So

if you have a backup of the users profile for that installation of the

operating system you may be able to restore a copy of the profile and thus

the private key assuming the backup contained the private key.  --- Steve



http://support.microsoft.com/default...b;EN-US;223316



"Robert" <Robert@discussions.microsoft.com> wrote in message

news:FF62B5A2-3172-47AD-B31B-261B26646219@microsoft.com...

> Hi,

>

> I am looged in to a standalone W2K machine as the user who encrypted the

> files.  Efsinfo and MMC Certificates have indicated that my certificate

> thumbprints are the same.  Efsinfo however states that the user is unknown

> even though CN=<myuser>..not sure if that matters.  An intersting side

> note

> is that when I attempt to request a certificate with the same key from my

> personal efs certificate I receive an error message stating that the

> selected

> certificate has no private key.  Any help would be appreciated.

>

> TIA,

> Robert

Hi Steven,



Thank you very much for your response.

The general page does indeed show that I "have a private key that

corresponds to this certificate".  It does however say that "This CA Root

certificate is not trusted."  And also as a step in this ordeal I had in fact

exported what I believed to be the certificate of my user to a .pfx file and

have since imported it back into my personal certificate folder with no

success in decrypting the files.  Perhaps I did not import it correctly

although I did receive the successful message...

I have also logged in as the local administrator that Efsinfo indicated has

a matching thumbprint to the RA and have not been able to decrypt.

My laptop has been part of a domain in the past but is now a standalone in a

workgroup.  Could that possibly matter?



Many thanks,

Robert



"Steven L Umbach" wrote:



> When you view your certificate in the mmc snapin for certificates for "user"

> and look at the general page it needs to show "you have a private key that

> corresponds to this certificate".  If not you will not be able to access the

> EFS files with that certificate.  Possibly at one time you exported the

> certificate and private key to a password protected .pfx file AND in the

> process checked the option to delete the private key?? If that is so, import

> the .pfx certificate/private key back into that computer to access the EFS

> files. Windows 2000 also requires a Recovery Agent for EFS which is the

> built in administrator account for a non domain computer which probably is

> what was referenced to as "unknown user". So try logging on as the built in

> administrator account to see if that works or importing the domain's RA

> certificate/private key from a .pfx file for it.  Efsinfo /r shows RA

> information. In a domain the RA can typically be the built in administrator

> account for the domain and the best place too look for that certificate

> would be on the first domain controller in the domain which may be the pdc

> fsmo.  You can not request a certificate with the same private key if the

> private key does not exist with the certificate which is why you get that

> message.  FYI the EFS certificate/private key live in the users profile. So

> if you have a backup of the users profile for that installation of the

> operating system you may be able to restore a copy of the profile and thus

> the private key assuming the backup contained the private key.  --- Steve

>

> http://support.microsoft.com/default...b;EN-US;223316

>

> "Robert" <Robert@discussions.microsoft.com> wrote in message

> news:FF62B5A2-3172-47AD-B31B-261B26646219@microsoft.com... 

>

>

>

The certificate that says you have the private key for, try to export the

certificate and private key to a password protected .pfx file to verify that

the private key is intact and not corrupt. As far as the root CA not being

trusted, I don't think that should matter for file encryption and

decryption. When you try to import a certificate/private key for EFS, verify

that it shows up in the mmc certificate snapin for user in the personal

certificate folder. If not try to import it directly from that folder.  Also

while logged on as the built in administrator account, check to see if there

is indeed a Recover Agent certificate/private key in the certificate store

for user.



As far as being in a domain. Did you use EFS as a domain user, local

computer users, or both??  --- Steve





"Robert" <Robert@discussions.microsoft.com> wrote in message

news:2A817D0E-770D-4E89-88F3-AF4B53E510BF@microsoft.com...[vbcol=seagreen]

> Hi Steven,

>

> Thank you very much for your response.

> The general page does indeed show that I "have a private key that

> corresponds to this certificate".  It does however say that "This CA Root

> certificate is not trusted."  And also as a step in this ordeal I had in

> fact

> exported what I believed to be the certificate of my user to a .pfx file

> and

> have since imported it back into my personal certificate folder with no

> success in decrypting the files.  Perhaps I did not import it correctly

> although I did receive the successful message...

> I have also logged in as the local administrator that Efsinfo indicated

> has

> a matching thumbprint to the RA and have not been able to decrypt.

> My laptop has been part of a domain in the past but is now a standalone in

> a

> workgroup.  Could that possibly matter?

>

> Many thanks,

> Robert

>

> "Steven L Umbach" wrote:

> 

I have a very similar problem to this.



My IS Admin recently migrated my account from one domain to another (within the domain forest).  Following this, I can no longer decrypt my files.



Using the Certificates snap-in in MMC, I can see that I still have the EFS certificate that I originally used to encrypt my files with (same thumbprint).  Furthermore, MMC tells me that I have a private key for this certificate.  However, if attempt to export the certificate, the "Yes, export private key" option is grayed out.  I understand that this might mean that the certificate was imported and the private key marked as not being exportable.  Then again, if I attempt to "Request Certificate with Same Key", I'm told that "The selected certificate has no private key".



It appears that the private key somehow got corrupted when my account was migrated.  (I assume this is because it is salted with my SID or domain\username string.)



I can't use the local Administrator account as the recovery agent either.  It no longer has an EFS certificate at all!



Would migrating me back to the old domain help at all?  A lot of these files are very important and I don't want to lose them (and yeah, it would have been nice had I saved a copy of my private certificate, but I've only just discovered - the hard way - that this is essential!).



Failing that, and assuming that the private key is there but inaccessible because of my new domain, can I somehow get access to the certificate and the private key using my old SID, account name and password?



Any other ideas?

Apparently something went wrong with the migration. Unless you can export

the private key then there is a problem associating it with your user

account. There is a program from Elcomsoft that could possibly help. The

free version will at least let you know if you can access the EFS private

key [after entering the password for the user that is associated with the

private key] but will only decrypt small files.  It may help to migrate you

back to the old domain and would certainly be worth a try if the files are

as important as they sound.  I would also use efsinfo to see what Recovery

Agents can decrypt the file which may be more or other than the built in

administrator account. --- Steve



http://www.elcomsoft.com/aefsdr.html  --- Elcomsoft



"Mike Allen" <Mike.Allen.23xz2s@mail.mcse.ms> wrote in message

news:Mike.Allen.23xz2s@mail.mcse.ms...

>

> I have a very similar problem to this.

>

> My IS Admin recently migrated my account from one domain to another

> (within the domain forest).  Following this, I can no longer decrypt my

> files.

>

> Using the Certificates snap-in in MMC, I can see that I still have the

> EFS certificate that I originally used to encrypt my files with (same

> thumbprint).  Furthermore, MMC tells me that I have a private key for

> this certificate.  However, if attempt to export the certificate, the

> "Yes, export private key" option is grayed out.  I understand that this

> might mean that the certificate was imported and the private key marked

> as not being exportable.  Then again, if I attempt to "Request

> Certificate with Same Key", I'm told that "The selected certificate has

> no private key".

>

> It appears that the private key somehow got corrupted when my account

> was migrated.  (I assume this is because it is salted with my SID or

> domain\username string.)

>

> I can't use the local Administrator account as the recovery agent

> either.  It no longer has an EFS certificate at all!

>

> Would migrating me back to the old domain help at all?  A lot of these

> files are very important and I don't want to lose them (and yeah, it

> would have been nice had I saved a copy of my private certificate, but

> I've only just discovered - the hard way - that this is essential!).

>

> Failing that, and assuming that the private key is there but

> inaccessible because of my new domain, can I somehow get access to the

> certificate and the private key using my old SID, account name and

> password?

>

> Any other ideas?

>

>

>

> --

> Mike Allen

> ------------------------------------------------------------------------

> Posted via http://www.mcse.ms

> ------------------------------------------------------------------------

> View this thread: http://www.mcse.ms/message1585790.html

>

steven:



Is there way to extract the private key from a certificate and make it the current user's private key?



-frank