Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Web Authentication using machine or client certificates

Status
Not open for further replies.

delmontexxx

Programmer
May 25, 2015
2
PE
We have an ASP.NET web app running in IIS, with about 200 users, some are inside our LAN and other ones are outside our LAN. Every user has a userid account and a password to logon into web app. Not every user has an AD account.

Besides those credentials, we want to add more security for accessing that web app with this requirement:

A user will access that web app just and only from its assigned PC. If the user uses other PC, and even if its login credential were right, then he/she will not be able to access that web app.

For partially solving this requirement, we can implement machine certificates on every user's PC and we can install a CA in our IIS server, and also we can issue machine certificate for non Active Directory PC.

However, the user could use any another PC in where machine certificate was installed and access web app with his/her login credential. We don't want that. The user should be only allowed to login to web app only from his/her assigned PC. No other PC.

What we are trying to achieve is that, somehow, machine certificate should be tied to user's login credentials for web app. For authetication, web app should send: userid, password and machine certificate key to web server or database. If those three elements are OK, then user is authenticated on web app.

Is it possible that machine certificates and CA work in that way?
 
The user should be only allowed to login to web app only from his/her assigned PC. No other PC.
Why? What is the purpose of this requirment
 
In general, for giving more security for authentication. I've seen this in other web apps. For example, a web app for accessing citizen registration (names, gender, date of birth, address, photgraph, etc).
 
I have never seen that implemented. And would seem overly secure for most web apps. Do you really need to have that much security for your data? I doubt it. I worked for the military in the past and didn't have a need for that much security.

I would assume the implementation would be very difficult if not impossible.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top