Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Web Authentication using machine or client certificates

Status
Not open for further replies.
delmontexxx

delmontexxx

Programmer
May 25, 2015
2
PE
We have an ASP.NET web app running in IIS, with about 200 users, some are inside our LAN and other ones are outside our LAN. Every user has a userid account and a password to logon into web app. Not every user has an AD account.

Besides those credentials, we want to add more security for accessing that web app with this requirement:

A user will access that web app just and only from its assigned PC. If the user uses other PC, and even if its login credential were right, then he/she will not be able to access that web app.

For partially solving this requirement, we can implement machine certificates on every user's PC and we can install a CA in our IIS server, and also we can issue machine certificate for non Active Directory PC.

However, the user could use any another PC in where machine certificate was installed and access web app with his/her login credential. We don't want that. The user should be only allowed to login to web app only from his/her assigned PC. No other PC.

What we are trying to achieve is that, somehow, machine certificate should be tied to user's login credentials for web app. For authetication, web app should send: userid, password and machine certificate key to web server or database. If those three elements are OK, then user is authenticated on web app.

Is it possible that machine certificates and CA work in that way?
 
Sort by date Sort by votes
The user should be only allowed to login to web app only from his/her assigned PC. No other PC.
Click to expand...
Why? What is the purpose of this requirment
 
Upvote 0 Downvote
In general, for giving more security for authentication. I've seen this in other web apps. For example, a web app for accessing citizen registration (names, gender, date of birth, address, photgraph, etc).
 
Upvote 0 Downvote
I have never seen that implemented. And would seem overly secure for most web apps. Do you really need to have that much security for your data? I doubt it. I worked for the military in the past and didn't have a need for that much security.

I would assume the implementation would be very difficult if not impossible.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Makumbi256
  • Locked
  • Question
How to make days vertical and grid view editable using asp.net vb
Replies
0
Views
315
Makumbi256
Makumbi256
Moregelen
  • Locked
  • Question
Domain Authentication
Replies
0
Views
348
Moregelen
Moregelen
sugu1
  • Locked
  • Question
sound editing in web site to record, cut/trim, paste and save as wav file
Replies
0
Views
364
sugu1
sugu1
G12Consult
  • Locked
  • Question
Forms authentication not working
Replies
4
Views
250
Rajkumarrrrr
Rajkumarrrrr
WIREMESH
  • Locked
  • Question
Play mp4 files in asp.net 2.0 webforms application
Replies
0
Views
115
WIREMESH
WIREMESH

Part and Inventory Search

Sponsor

Back
Top