Event ID 6032 is logged if a clustered share resource fails over or is moved to another cluster node in a Windows Server 2003-based server cluster

In a Windows Server 2003-based server cluster, the following event is logged in the SYSTEM log many times if a clustered file share resource fails over or is moved to another cluster node:

Event Type: Error
Event Source: EFS
Event Category: None
Event ID: 6032
Date: date
Time: time
User: N/A
Computer: computer name
Description: EFS does not support encryption over network sessions established using the NTLM protocol.

This event is also logged every time that you try to copy an encrypted file to a folder on the clustered share resource.

This problem occurs if the clustered file share resource is not configured to store files that are encrypted by using Encrypting File System (EFS).

To resolve this problem, configure the clustered share resource to allow for the storage of EFS files. To do this, follow these steps.

Step 1: Configure roaming user profiles

Roaming user profiles are required to support storing EFS files on remote shared resources. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

Step 2: Configure each cluster node to be trusted for delegation

Configure the computer account for each cluster node to be trusted for delegation. To do this, follow these steps:

1. Start "Active Directory Users and Computers." To do this, click Start, click Run, type dsa.msc, and then click OK.
2. Locate and then click the container in which the cluster nodes are located. By default, the cluster nodes are in the Computers container.
3. In the details pane, right-click a cluster node that hosts the clustered share resource, and then click Properties.
4. Click to select the Trust computer for delegation check box, click OK on the message that states that this option lets the computer be trusted for delegation, and then click OK.
5. Repeat steps 3 and 4 for each cluster node that may host the clustered share resource.
6. Restart each cluster node that is trusted for delegation.

Step 3: Configure the Network Name resource to support Kerberos

Kerberos support must be enabled on the Network Name resource. To configure this option, follow these steps.

Note After you follow these steps, a computer object that represents the cluster name that is configured for the Network Name resource appears in the Active Directory directory service. You must trust this computer object for delegation.

1. Start the Cluster Administrator tool, and then connect to the server cluster.
2. Locate the appropriate Network Name resource, right-click the resource, and then click Take Offline.
   
   Note The Network Name resource must be offline to enable Kerberos support.
3. Right-click the Network Name resource, and then click Properties.
4. In the ResourceName Properties dialog box, click the Parameters tab.
5. Note the name that appears next to Name. This name is the name of the computer object that appears in the Computers container in Active Directory Users and Computers.
6. Click to select the Enable Kerberos Authentication check box, and then click OK.
7. Right-click the Network Name resource, and then click Bring Online.

Step 4: Configure the cluster to be trusted for delegation

Configure the computer account that appears for the <virtual server name of the share> to be trusted for delegation. To do this, follow these steps:

1. Start Active Directory Users and Computers.
2. Locate and then click the Computers container.
3. In the details pane, right-click the cluster name, and then click Properties.
4. Click to select the Trust computer for delegation check box, click OK on the message that states that this option lets the computer be trusted for delegation, and then click OK.
5. Take the Network Name resource offline, and then bring the Network Name resource online.

For more information, click the following article number to view the article in the Microsoft Knowledge Base: