When attempting to encrypt folders or files on a share published through a Windows Cluster Resource it fails. You may see the error “An error occurred applying attributes to the file:” … “The logon session in not in the state that is consistent with the requested operation.”

Encryption Error

This occurs in any network share published through the cluster, including redirected folders. Interestingly, when logged on as the ‘domain administrator’ you may not get this error.

Troubleshoot and verify the issue

Logon a workstation as a domain user. Create a test folder on a non-clustered network server share. Access the ‘Properties’ of the test folder and click the ‘Advanced’ settings. Select ‘Encrypt contents to secure data.”  You should not get the error stated above.

Next try to encrypt a test folder on a file cluster resource share. You should get the error. If you are not able to encrypt the folder on the non-clustered server you may have other issues in the domain, such as Kerberos authentication issues.

To resolve the issue

On the Cluster Server:

  1. Open Cluster Administrator.
  2. In the console tree, double-click Groups, and then click the group that contains the File Share resource you need to allow encryption on.
  3. In the details pane, click the Network Name resource in that you will use to connect to this file share.
  4. On the File menu, click Take Offline.
  5. On the File menu, click Properties.
  6. On the Parameters tab, select Enable Kerberos Authentication, and then click OK.
  7. In the details pane, click the Network Name resource for the file share.
  8. On the File menu, click Bring Online.

On a Domain Controller

  1. Open Active Directory Users and Computers.
  2. Locate the Machine Account for the CLUSTER (not the node name but the cluster network name). If it did not exist before, it should have been created after following the steps above and will be located in the Computers container.
  3. Right-click the Machine Account for the Cluster Resource, choose Properties.
  4. Click on the Delegation tab, choose Trust this computer for delegation to any service (Kerberos only), and click OK.
  5. Reboot the client workstation, logon as a domain user and verify encrypting a folder on the cluster share works.

More information can be found in the following TechNet Articles: