none
各位高手,求教:windows server 2008 r2中的加密文件,如何让客户端打开?谢谢 RRS feed

  • 问题

  • 我用windows server 2008 r做了一个文件服务器。客户端为win7系统,均为激活的正版。通过域控来授予客户端登录和访问特定文件夹的权限,这些都已经调试好没问题的。

    接下来,如果我在服务器端,对客户端可以访问的某些文件进行efs加密,那么我该如何导入密匙,让客户端能够通过局域网打开这些文件呢?我试过在服务器端导出密匙证书,拷贝到客户端,导入。证书导入成功,但依旧无法在客户端打开加密文件,提示“拒绝访问”。我也试过在服务器的组策略-用户-安全-公匙策略-受信任人,导入证书。又试过在ad中找到相应的客户端用户,在其属性中添加证书。最后还是“拒绝访问”。

     

    2013年4月12日 22:01

全部回复

  • 参考这个

    Using Encrypting File System
    http://technet.microsoft.com/en-us/library/bb457116.aspx

    里面的 “Remote EFS Operations in a File Share Environment” 部分

    下面的6条 “requirements for successful remote EFS operations in a file share environment”


    • 已编辑 Finy 2013年4月15日 3:11
    2013年4月15日 3:08
  • 谢谢finy兄,指路明灯啊,研究,,,,,英文中。。。
    2013年4月15日 15:28
  • Remote EFS Operations in a File Share Environment

    Remote EFS operations on files stored on network file shares are possible in Windows 2000 or later domain environments only. Domain users can remotely encrypt or decrypt files, but this capability is not enabled by default. The following are requirements for successful remote EFS operations in a file share environment:

    1. The files to be encrypted must be available to the user through a network share. Normal share-level security applies.

    2. The user must have Write or Modify permissions to encrypt or decrypt a file.

    3. The user must have either a local profile on the computer where EFS operations will occur or a roaming profile. If the user does not have a local profile on the remote computer or a roaming profile, EFS creates a local profile for the user on the remote computer.

      If the remote computer is a server in a cluster, the user must have a roaming profile.

    4. To encrypt a file, the user must have a valid EFS certificate. If EFS cannot locate a pre-existing certificate, EFS contacts a trusted enterprise certification authority for a certificate. If no trusted enterprise certification authorities are known, a self-signed certificate is created and used. The certificate and keys are stored in the user’s profile on the remote computer or in the user’s roaming profile if available.

      Note To verify a certificate’s authenticity, a certification authority signs the certificates that it issues with its private key. EFS creates and uses a self-signed certificate if no file encryption certificate is available from a certification authority. A self-signed certificate indicates that the issuer and subject in the certificate are identical, and that no certification authority has signed the certificate.

    5. To decrypt a file, the user’s profile must contain the private key associated with the public key used to encrypt the file encryption key (FEK).

    6. EFS must impersonate the user to obtain access to the necessary public or private key. This requires the following:

      1. The computer must be a domain member in a domain that uses Kerberos authentication because impersonation relies on Kerberos authentication and delegation.

      2. The computer must be trusted for delegation.

      3. The user must be logged on with a domain account that can be delegated.

    2013年4月18日 15:24
  • 上面就是finy兄指出的共享环境中打开efs的6大条件:

    我大致翻译下:

    1.被编译的文件必须可以通过网络共享来获得。

    2.用户(指客户端的用户)必须有写入和修改的权限,从而来编译或反编译文件。

    3.用户必须有一个本地配置文件用于efs操作,或者有一个漫游配置文件(?)意思是本地磁盘不能被禁用,efs解码等等会用到至少一个本地文件夹?这个请大侠确认下

    4.要编译文件,用户必须拥有有效的efs加密证书。(后面一堆不是很懂,我就是先在服务器导出efs加密证书,然后在客户端导入)

    5.要编译文件,用户的配置文件里必须有私匙以及与之相应的公匙。(哪里找公匙啊?导出的*.pfx好像都是私匙啊)

    6..用户获取到必要的公匙或私钥。这需要以下条件:

    1.计算机必须是域成员,在一个域中使用Kerberos身份验证,因为模拟依赖于Kerberos身份验证和分派。

    2.计算机必须被信任。

    3..用户必须被域控信任。

    2013年4月18日 15:48
  • 半懂不懂对着这6条,还是不行啊。求解答,谢谢啊!
    2013年4月18日 15:49
  • 哪条看不懂,或不知道怎么操作?

    我猜是6.2,也就是这个:

    • 已编辑 Finy 2013年4月19日 3:54
    2013年4月19日 3:51