Getting System.IO.IOException on File.Encrypt with an impersonated user

Question

I am trying to encrypt a folder (with windows EFS) in a programmatic manner. The following powershell code works just fine when ran via ISE powershell console.

$obj = New-Object -TypeName System.IO.FileInfo 'D:\Temp'      
$obj.Encrypt()

However running this under impersonated user via a chef recipe with test-kitchen produces this error below

recipe wrapper for the powershell:

ruby_block 'Enable encryption on folder' do
  block do
 command = <<-EOH
   # Encrypt the folder
   $obj = New-Object -TypeName System.IO.FileInfo 'D:\\Temp'      
   $obj.Encrypt()
   EOH
   powershell_out!(command, { user: username, password: pwd,
                           domain: domain})
  end
end

Results in the following stack trace:

PSMessageDetails      : 
Exception             : System.Management.Automation.MethodInvocationException:
                     Exception calling "Encrypt" with "0" argument(s): 
                    "The parameter is incorrect.
                    " ---> System.IO.IOException: The parameter is 
                    incorrect.

                       at System.IO.__Error.WinIOError(Int32 errorCode, 
                    String maybeFullPath)
                       at System.IO.File.Encrypt(String path)
                       at CallSite.Target(Closure , CallSite , Object )
                       --- End of inner exception stack trace ---
                       at System.Management.Automation.ExceptionHandlingOps
                    .CheckActionPreference(FunctionContext funcContext, 
                    Exception exception)
                       at System.Management.Automation.Interpreter.ActionCa
                    llInstruction`2.Run(InterpretedFrame frame)
                       at System.Management.Automation.Interpreter.EnterTry
                    CatchFinallyInstruction.Run(InterpretedFrame frame)
                       at System.Management.Automation.Interpreter.EnterTry
                    CatchFinallyInstruction.Run(InterpretedFrame frame)
TargetObject          : 
CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
FullyQualifiedErrorId : IOException
ErrorDetails          : 
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 5
PipelineIterationInfo : {}

Notes: the user that's being impersonated is part of the Administrators group and has full control on D:\Temp. Another key observation is that if I perform an interactive login (RDP session) as that user before running chef via test-kitchen the recipe above succeeds without any issues and the folder gets encrypted locally just the same as if running powershell interactively in the console.

The exception seems to indicate that the path parameter to System.IO.File.Encrypt is not being set/passed somewhere inside, but I am at a loss why would this work one time and not the other. I did try to create the user profile by having recipe run an Invoke-Command against localhost as that user and it does create the profile e.g. (C:\users\... gets created), however the Encrypt() call still errors out with the same exception as above. This doesn't seem like a chef or a test-kitchen issue but rather something being missed on the powershell/windows side of things with the encrypted file system intricacies, any help is greatly appreciated.

Thank you

Answer 1

Unfortunately I do not believe you can encrypt files over a remote session. If you were to try this same operation over a native windows powershell remoting session, you would get a UnauthorizedAccessException. If you are using Test-Kitchen, try using the Elevated winrm transport.

Example yaml:

platforms: - name: eval-win2012r2-standard os_type: windows transport: name: winrm elevated: true

This simulates a local logon session and may workaround this error.