INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Web Authentication using machine or client certificates

Web Authentication using machine or client certificates

(OP)
We have an ASP.NET web app running in IIS, with about 200 users, some are inside our LAN and other ones are outside our LAN. Every user has a userid account and a password to logon into web app. Not every user has an AD account.

Besides those credentials, we want to add more security for accessing that web app with this requirement:

A user will access that web app just and only from its assigned PC. If the user uses other PC, and even if its login credential were right, then he/she will not be able to access that web app.

For partially solving this requirement, we can implement machine certificates on every user's PC and we can install a CA in our IIS server, and also we can issue machine certificate for non Active Directory PC.

However, the user could use any another PC in where machine certificate was installed and access web app with his/her login credential. We don't want that. The user should be only allowed to login to web app only from his/her assigned PC. No other PC.

What we are trying to achieve is that, somehow, machine certificate should be tied to user's login credentials for web app. For authetication, web app should send: userid, password and machine certificate key to web server or database. If those three elements are OK, then user is authenticated on web app.

Is it possible that machine certificates and CA work in that way?

RE: Web Authentication using machine or client certificates

Quote:

The user should be only allowed to login to web app only from his/her assigned PC. No other PC.
Why? What is the purpose of this requirment

RE: Web Authentication using machine or client certificates

(OP)
In general, for giving more security for authentication. I've seen this in other web apps. For example, a web app for accessing citizen registration (names, gender, date of birth, address, photgraph, etc).

RE: Web Authentication using machine or client certificates

I have never seen that implemented. And would seem overly secure for most web apps. Do you really need to have that much security for your data? I doubt it. I worked for the military in the past and didn't have a need for that much security.

I would assume the implementation would be very difficult if not impossible.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close