Opening a Symantec FileShare-encrypted file using Run-as may reject authentication with Access Denied errors

book

Article ID: 158183

calendar_today

Updated On:

Products

File Share Encryption Powered by PGP Technology

Issue/Introduction

Opening a Symantec FileShare-encrypted file using Run-as may reject authentication with Access Denied errors.

Cause

Symantec FileShare Encryption allows individual users access into encrypted data based on keys for the user.  Because it is based on keys for the individual user, only specific users are allowed access into a share.   Using Run-As to open an application (such as MS Word) and subsequently attempt to open a Symantec FileShare-encrypted file, can result in Access Denied errors.  Even though the user running this command may have the needed keypair and know the passphrase of the keypair to unlock the file, by using the Run-As operation, this bypasses the user session and executes the operation as another user, which goes outside of the Symantec FileShare access.

 

This behavior is by design and is based on the Locally Unique IDentifier (LUID) maintained by Windows when Windows User Account Control (UAC) has been enabled, which causes the user to lose the connection to his/her logon session containing the information for authentication.

Symantec FileShare separates multiple users from each other such that each user must authenticate explicitly to a protected file or folder to gain access to the encrypted data.  Otherwise, the user will receive an "Access Denied" error and will not be allowed access to the files needed.  This behavior is what is going on using Run-As with Windows UAC.

 

Resolution

In these situations where run-as, or multi-user environments such as Terminal Services or Fast User Switching is being used, and users must have access to the FileShare files or folders on a single system, it may be necessary to enable an option to allow all users access to the encrypted share on a computer. The following setting will allow such users access to shares in these special circumstances.

 

Steps to enable multi-user access on a single system:

1. Open the Windows Registry as an Administrator of the system (Start > regedit).

2. Navigate to the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\pgpfs

3. Right-click on the "pgpfs" registry key, and select New > Key, and give it a name of "Parameters".

4. Once the Parameters key has been created, click on it so it is selected.

5. In the right-pane of the Registry, right-click and select New, then DWORD (32-bit) Value.  Give the DWORD value the name "Terminal". 

Leave the value data as "0".

6. Reboot the system.

 

Once this Registry value is created, even with multi-user environments, access will be given to users who can authenticate, even using Run-As operations.

 

Warning: This is not a generally-recommended setting.  This switch allows *every user* on the system to access *already unlocked* files and folders. If this behavior is not desired, or poses a security consideration, do not enable this parameter.  Files that have not yet been unlocked, will remain unlocked until an authorized user attempts to access the encrypted file/folder with proper keys.  Once any new files/folders have been unlocked, additional users will have access by using this setting.

 


Applies To

Windows 7