EFS of remote shares requires the file server be trusted for delegation (along with the user being allowed for delegation as well). And you need to have a PKI in place.
Simply delegating the entire fileserver works, but can be a security issue. Constrained delegation is available in Win2K3 and above to deal with this, but there is a dearth of info that I can find that indicates what SPN's would need to specifically be delegated to get this to work. I found one post where the following was suggested: On the file server- cifs; ldap; protectedstorage (add for each DC) HOST (add for your cert authority) Now, this SEEMS to work for me, but I'm not sure if this is only because I had previously delegated the entire fileserver and there's a setting "left over". (I've gpupdate'd my file server and client test machine). I guess I'm somewhat surprised at this recommendation, because even though I'm performing these delegations on the file-server AD object, I'm actually specifying services on other machines.... Thoughts or pointers to where this might be explained more fully? Thanks. -sc ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
