The certificate store contains more than one basic EFS certificate for a user (837359)



The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional

SYMPTOMS

When you grant a user permission to access an encrypted file, the certificate store may contain more than one basic Encrypting File System (EFS) certificate for this user. This symptom occurs when you grant permissions in a Microsoft Windows Server 2003 Active Directory domain or a Microsoft Windows 2000 Server Active Directory domain.

CAUSE

This behavior occurs because the certificate store contains more than one basic EFS certificate that has been issued to the user by the enterprise certification authority (CA). This situation occurs because every time the user logs on to a computer that is not the user's regular computer, a request for a basic EFS certificate is generated. The enterprise CA then issues a new basic EFS certificate to the user. The request for a basic EFS certificate occurs when the user logs on to a computer in a Windows Server 2003 Active Directory domain or a Windows 2000 Server Active Directory domain. The user can access an encrypted file from a computer that is not the user's regular computer if the user's EFS certificate is installed in that computer.

If the user's basic EFS certificate is not present when the user tries to open an encrypted file, a request for a basic EFS certificate is generated. The computer that the user logs on to stores the basic certificate in the personal certificate store of the user. The enterprise CA issues a basic EFS certificate even if a basic EFS certificate is already issued to the user. The certificate may be available in the user's regular computer but not in the computer the user has logged on to.

Note Users, computers and services can automatically request EFS certificates without user intervention. This ability depends on the public key policies in the domain.

WORKAROUND

To work around this behavior, switch the user profile of the user who you want to grant permissions from a local profile to a roaming profile.

Windows Server 2003 and Windows 2000 Server support roaming user profiles that make it possible for certificates to follow users. Therefore, the certificates are available on any computer they log on to. If roaming user profiles are enabled, user profiles, including issued certificates and private keys, are stored on the domain controller. The roaming profiles are downloaded to the local computer when the user logs on.

REFERENCES

To obtain a copy of the Windows Server 2003 Deployment Kit: Designing and Deploying Directory and Security Services book, visit the following Microsoft Web site: For more information about EFS in Windows 2000, visit the following Microsoft "Step-by-Step Guide to Encrypting File System (EFS)" Web site:

Modification Type:MinorLast Reviewed:12/8/2005
Keywords:kbtshoot kbprb KB837359 kbAudEndUser kbAudITPRO