Guest CJespersen Posted May 5, 2008 Posted May 5, 2008 "Hi We have a major issue. Thousands of EFS certificates have been issued to various users. The problem was only found because a user got an error when trying to copy an entry from the Global Address List to a local Contacts. Reason being that 25 certificates existed for that user which was too much for the copy process into the local Contacts. Following up on this, we found that almost all users have multiple EFS certificates, some up to 50 certs or more. The domain supports about 5.000 users, meaning that way to many certs have been issued. Now we need to clean up and remove unnecessary certificates - at the same time we need to assure that the configuration/setup is correct so that future use of EFS and credential roaming works as expected. Credential roaming is enabled and EFS is used for Offline files for all laptops in order to encrypt all company data when used offline. The environment is Vista clients and Windows Server 2003 SP1/SP2 AD/Servers. The encryption works fine using EFS. In order to be able to access data on different computers, credential roaming is used together with EFS for offline file encryption. This means that EFS user certificates will be available on all domain computers where the user logs in. Now we found out that way to many EFS certificates have been deployed. We are wondering if the EFS certificate template settings are correct. The current EFS template is based on a copy of default V1 EFS template into a v2 template with the following settings - "Publish Certificate in Active Directory" is currently enabled - "Do not automatically reenroll if a duplicate certificate exists in Active Directory" was not enabled, but we changed it right now in order to avoid more certificates being issued for the time being, until we found the right solution. - so now it is enabled. - Auto-enrollment is enabled for the users (and computers) - Credential roaming GPO is enabled for all normal users located in a special OU. - EFS is enabled for all laptops in specifics OU's - Encryption of offline files is enabled together with EFS - Folder redirection of users document directory is enabled, automatically making them available offline. Now I come to the questions 1) what is the correct certificate template settings when using auto-enrollment together with EFS. Is it necessary to enable "publish to AD" at all, when using credential roaming, as this mechanism copies certs from one user cert store to another through AD? Various documentation and other posts in this newsgroup indicate different settings. 2) Any suggestions on how to clean up all the EFS certs without loosing data and without bothering the clients/users too much? Any suggestions will be highly appreciated kind regards CJ Quote
Guest CJespersen Posted July 29, 2008 Posted July 29, 2008 Hi I just want to inform you that this seems to be a Vista design issue. I am waiting for MS Support stating what our options are to get this to work. kind regards Claus -- Claus Jespersen "CJespersen" wrote: <span style="color:blue"> > "Hi > > We have a major issue. Thousands of EFS certificates have been issued to > various users. The problem was only found because a user got an error when > trying to copy an entry from the Global Address List to a local Contacts. > Reason being that 25 certificates existed for that user which was too much > for the copy process into the local Contacts. > > Following up on this, we found that almost all users have multiple EFS > certificates, some up to 50 certs or more. The domain supports about 5.000 > users, meaning that way to many certs have been issued. Now we need to clean > up and remove unnecessary certificates - at the same time we need to assure > that the configuration/setup is correct so that future use of EFS and > credential roaming works as expected. > > Credential roaming is enabled and EFS is used for Offline files for all > laptops in order to encrypt all company data when used offline. > > The environment is Vista clients and Windows Server 2003 SP1/SP2 AD/Servers. > > The encryption works fine using EFS. In order to be able to access data on > different computers, credential roaming is used together with EFS for offline > file encryption. This means that EFS user certificates will be available on > all domain computers where the user logs in. > > Now we found out that way to many EFS certificates have been deployed. > We are wondering if the EFS certificate template settings are correct. > > The current EFS template is based on a copy of default V1 EFS template into > a v2 template with the following settings > > - "Publish Certificate in Active Directory" is currently enabled > - "Do not automatically reenroll if a duplicate certificate exists in Active > Directory" was not enabled, but we changed it right now in order to avoid > more certificates being issued for the time being, until we found the right > solution. - so now it is enabled. > - Auto-enrollment is enabled for the users (and computers) > - Credential roaming GPO is enabled for all normal users located in a > special OU. > - EFS is enabled for all laptops in specifics OU's > - Encryption of offline files is enabled together with EFS > - Folder redirection of users document directory is enabled, automatically > making them available offline. > > Now I come to the questions > > 1) what is the correct certificate template settings when using > auto-enrollment together with EFS. Is it necessary to enable "publish to AD" > at all, when using credential roaming, as this mechanism copies certs from > one user cert store to another through AD? Various documentation and other > posts in this newsgroup indicate different settings. > 2) Any suggestions on how to clean up all the EFS certs without loosing data > and without bothering the clients/users too much? > > Any suggestions will be highly appreciated > > kind regards > CJ</span> Quote
Guest CJespersen Posted August 11, 2008 Posted August 11, 2008 Hi Updated information about the support case for this incident will be posted shortly on my blog http://clausjespersen.spaces.live.com/blog Claus Jespersen "CJespersen" wrote: <span style="color:blue"> > Hi > > I just want to inform you that this seems to be a Vista design issue. I am > waiting for MS Support stating what our options are to get this to work. > > kind regards > Claus > -- > Claus Jespersen > > > "CJespersen" wrote: > <span style="color:green"> > > "Hi > > > > We have a major issue. Thousands of EFS certificates have been issued to > > various users. The problem was only found because a user got an error when > > trying to copy an entry from the Global Address List to a local Contacts. > > Reason being that 25 certificates existed for that user which was too much > > for the copy process into the local Contacts. > > > > Following up on this, we found that almost all users have multiple EFS > > certificates, some up to 50 certs or more. The domain supports about 5.000 > > users, meaning that way to many certs have been issued. Now we need to clean > > up and remove unnecessary certificates - at the same time we need to assure > > that the configuration/setup is correct so that future use of EFS and > > credential roaming works as expected. > > > > Credential roaming is enabled and EFS is used for Offline files for all > > laptops in order to encrypt all company data when used offline. > > > > The environment is Vista clients and Windows Server 2003 SP1/SP2 AD/Servers. > > > > The encryption works fine using EFS. In order to be able to access data on > > different computers, credential roaming is used together with EFS for offline > > file encryption. This means that EFS user certificates will be available on > > all domain computers where the user logs in. > > > > Now we found out that way to many EFS certificates have been deployed. > > We are wondering if the EFS certificate template settings are correct. > > > > The current EFS template is based on a copy of default V1 EFS template into > > a v2 template with the following settings > > > > - "Publish Certificate in Active Directory" is currently enabled > > - "Do not automatically reenroll if a duplicate certificate exists in Active > > Directory" was not enabled, but we changed it right now in order to avoid > > more certificates being issued for the time being, until we found the right > > solution. - so now it is enabled. > > - Auto-enrollment is enabled for the users (and computers) > > - Credential roaming GPO is enabled for all normal users located in a > > special OU. > > - EFS is enabled for all laptops in specifics OU's > > - Encryption of offline files is enabled together with EFS > > - Folder redirection of users document directory is enabled, automatically > > making them available offline. > > > > Now I come to the questions > > > > 1) what is the correct certificate template settings when using > > auto-enrollment together with EFS. Is it necessary to enable "publish to AD" > > at all, when using credential roaming, as this mechanism copies certs from > > one user cert store to another through AD? Various documentation and other > > posts in this newsgroup indicate different settings. > > 2) Any suggestions on how to clean up all the EFS certs without loosing data > > and without bothering the clients/users too much? > > > > Any suggestions will be highly appreciated > > > > kind regards > > CJ</span></span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.