You are currently offline, waiting for your internet to reconnect

The certificate store contains more than one basic EFS certificate for a user

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

SYMPTOMS
When you grant a user permission to access an encrypted file, the certificate store may contain more than one basic Encrypting File System (EFS) certificate for this user. This symptom occurs when you grant permissions in a Microsoft Windows Server 2003 Active Directory domain or a Microsoft Windows 2000 Server Active Directory domain.
CAUSE
This behavior occurs because the certificate store contains more than one basic EFS certificate that has been issued to the user by the enterprise certification authority (CA). This situation occurs because every time the user logs on to a computer that is not the user’s regular computer, a request for a basic EFS certificate is generated. The enterprise CA then issues a new basic EFS certificate to the user. The request for a basic EFS certificate occurs when the user logs on to a computer in a Windows Server 2003 Active Directory domain or a Windows 2000 Server Active Directory domain. The user can access an encrypted file from a computer that is not the user’s regular computer if the user’s EFS certificate is installed in that computer.

If the user’s basic EFS certificate is not present when the user tries to open an encrypted file, a request for a basic EFS certificate is generated. The computer that the user logs on to stores the basic certificate in the personal certificate store of the user. The enterprise CA issues a basic EFS certificate even if a basic EFS certificate is already issued to the user. The certificate may be available in the user’s regular computer but not in the computer the user has logged on to.

Note Users, computers and services can automatically request EFS certificates without user intervention. This ability depends on the public key policies in the domain.
WORKAROUND
To work around this behavior, switch the user profile of the user who you want to grant permissions from a local profile to a roaming profile.

Windows Server 2003 and Windows 2000 Server support roaming user profiles that make it possible for certificates to follow users. Therefore, the certificates are available on any computer they log on to. If roaming user profiles are enabled, user profiles, including issued certificates and private keys, are stored on the domain controller. The roaming profiles are downloaded to the local computer when the user logs on.
REFERENCES
To obtain a copy of the Windows Server 2003 Deployment Kit: Designing and Deploying Directory and Security Services book, visit the following Microsoft Web site: For more information about EFS in Windows 2000, visit the following Microsoft "Step-by-Step Guide to Encrypting File System (EFS)" Web site:
Properties

Article ID: 837359 - Last Review: 10/30/2006 21:12:54 - Revision: 1.4

  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
  • kbtshoot kbprb KB837359
Feedback