Link to home
Create AccountLog in
Avatar of paultaylor1999

asked on

Certificate based authentication


I have a Windows 2008 application server running a company application. Users need to enter a username/password to get in.

We're looking to have this available from outside the company network via a publically available URL ( Our MD wants us to add another layer of authentication on top of this because of the fact people will be accessing from outside using non-company devices.

I've heard of Certificate based on authentication and read around on the web but am unsure of a few things if people could help me.

i. Can we use certificates for 'authentication'

ii. Do we need different certificates on each user device and just one on the application server? Or can we push the same certificate to each user device?

iii. How can we get certificates on the user device?

iv. If, for example, someone left the company is there a way to 'revoke' their certificate quickly?

v. Any downsides to all this?
Avatar of arnold
Flag of United States of America image

Yes, you would within IIS check the box require SSL. You would within the same setting tick the button that requires a client certificate.
You would have an internal CA an issue client certificates to the user.
You can then map the certificate to the user this way the log with record the authenticated user on every resource they accessed.
The web server will have the certificate to secure the communication, the client certificate is used to authenticate/authorize the user. Presumably there is yet another login prompt into the underlying application (two form authentication)
Avatar of paultaylor1999


Hi Arnold

Thanks,so each user would have a different certificate? How is that mapped to the user so that we can revoke that if need be?

Also, how would we get the certificate on their client device (laptop, personal pc, mobile etc) in the first place?
So you've already got a site that uses SSL encrypted connections and which requires credentials to access.  And you're looking for another layer of authentication?  Sounds like overkill to me.  What are you trying to authenticate?  That only specific devices are allowed to connect (i.e. machine authentication), or are you looking for two-factor authentication?  They could be the same thing, but not necessarily.  If any type of two-factor authentication would do, then you might try something like PhoneFactor, which will call your phone when you try to sign-in.

If using certificates to authenticate a user and not a specific device, then yes a single user certificate could go on multiple devices.  At any time you can revoke a certificate.  The distribution of certificates is what I imagine would be the biggest hurdle, but perhaps others see a clear path forward.
You will have your own internal CA that you will issue certificates with and with which you will revoke the certificate.
You will use the web interface to the CA and create a request for a user certificate.

The certificate is a user certificate and not a device certificate. The user will import the certificate you provide them into their browser. When configured the user goes to the cite, and their browser either provides the certificate but usually the user will be prompted to choose a certificate to present.
Avatar of arnold
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.