Web Authentication using machine or client certificates

We have an ASP.NET web app running in IIS, with about 200 users, some are inside our LAN and other ones are outside our LAN. Every user has a userid account and a password to logon into web app. Not every user has an AD account.

Besides those credentials, we want to add more security for accessing that web app with this requirement:

A user will access that web app just and only from its assigned PC. If the user uses other PC, and even if its login credential were right, then he/she will not be able to access that web app.
For partially solving this requirement, we can implement machine certificates on every user's PC and we can install a CA in our IIS server, and also we can issue machine certificate for non Active Directory PC.

However, the user could use any another PC in where machine certificate was installed and access web app with his/her login credential. We don't want that. The user should be only allowed to login to web app only from his/her assigned PC. No other PC.

What we are trying to achieve is that, somehow, machine certificate should be tied to user's login credentials for web app. For authetication, web app should send: userid, password and machine certificate key to web server or database. If those three elements are OK, then user is authenticated on web app.

Is it possible that machine certificates and CA work in that way?
LVL 1
miyahiraAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
I was thinking instead for the login to use the client cert mapping (1to1, not Mto1) instead since it is based on current user certstore, has the IIS does this mapping and binding to the user ssl cert installed only in that machine. So when user login into the machine w/o that cert it is not supposed to be allowed login...see this 1to1 compared to Mto1
One-To-One Mappings
 Let’s walk through the one-to-one mappings as well. This approach means that we need an individual client certificate for each user mapping. You can either disable the many-to-one mapping and use the same certificate and user or create new ones.

Many-To-One Mappings
 If you want to map multiple client certificate to a single user this approach is what you need. You can also share client certificates like this by installing the client certificate (and the CA Root, since we are self-signing certificate) on other users on whichever machine to gain access as long as the client certificate matches the rule criterias of the mapping. It would for example be useful in a situation where you would want all users in an organization to gain access through a single user mapping.
http://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/
miyahiraAuthor Commented:
Thanks for your post.

In your scenario, is below possible?

User_a logon to his PC_a. Then he is able to load and login to web app.
User_a leaves PC_a unattended. User_b comes to PC_a, loads web app and try to logon on web app with his User_b credential (userid and password for web app). Server does not authorize that login because User_b credential and certificate key do not correspond.

I talk about login to web app, not login to Windows Operating System.
btanExec ConsultantCommented:
Understand - the article is sharing the client mapping can handle situation when we need to authenticate clients without even a user login and password approach, then have the server to ask the client to show it’s certificate and if it’s the correct one the client is allowed in. Thereafter, it can then be your web appl turn to do that prompting - it kind of reverse which you ask for credential to keyed in first. But I thought when user access that IIS server (SSL based), it should already be restricted per se - can be stringent though.

Client mapping has also these and codes...
Note: Client Certificate Mapping authentication using IIS differs from Client Certificate Mapping using Active Directory in the following ways:

Client Certificate Mapping authentication using Active Directory - this method of authentication requires that the IIS 7 server and the client computer are members of an Active Directory domain, and user accounts are stored in Active Directory. This method of Client Certificate Mapping authentication has reduced performance because of the round-trip to the Active Directory server.

IIS Client Certificate Mapping authentication - this method of authentication does not require Active Directory and therefore works with standalone servers. This method of Client Certificate Mapping authentication has increased performance, but requires more configuration and access to client certificates in order to create mappings.
http://www.iis.net/configreference/system.webserver/security/authentication/iisclientcertificatemappingauthentication

The caveat is the client cert will need to be installed in that only specific machine that user login and not all machines. Nevertheless, there is still the logic of your use case achieved via the appl delivery controller using boxes like F5 Access Policy mgr but likely that is not what you are looking including the use of RADIUS (Cisco ISE) - the key is leveraging existing device fronting to aid this use case authentication where possible...

Pardon me if I misread...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

miyahiraAuthor Commented:
btanExec ConsultantCommented:
thanks for sharing, looks like a custom based HTTP header for your use case then since the usual WWW-Authenticate header is not cater to it..
The <customHeaders> element of the <httpProtocol> element specifies custom HTTP headers that Internet Information Services (IIS) 7 will return in HTTP responses from the Web server.
http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders

...and as shared prev, if you have an ADC, that can be explored in same context
I got the BIGIP to put the certificate in the header using the following iRule code...the value in my CERTFROMHEADER variable is a base64 encoded string - otherwise known as PEM format for the certificate. The problem is that .NET only allows you to manipulate the cert in the DER format (at least with the version of the framework we are running). So, I had to use the Microsoft utility CERTUTIL.EXE to convert the PEM cert to a DER cert and then open it as a .NET object
https://devcentral.f5.com/questions/client-certificates-at-the-backend
miyahiraAuthor Commented:
Answer by btan is complemented with the one I found.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.