We have an ASP.NET web app running in IIS, with about 200 users, some are inside our LAN and other ones are outside our LAN. Every user has a userid account and a password to logon into web app. Not every user has an AD account.
Besides those credentials, we want to add more security for accessing that web app with this requirement:
A user will access that web app just and only from its assigned PC. If the user uses other PC, and even if its login credential were right, then he/she will not be able to access that web app.
For partially solving this requirement, we can implement machine certificates
on every user's PC and we can install a CA
in our IIS server, and also we can issue machine certificate for non Active Directory PC.
However, the user could use any another PC in where machine certificate was installed and access web app with his/her login credential. We don't want that. The user should be only allowed to login to web app only from his/her assigned PC. No other PC.
What we are trying to achieve is that, somehow, machine certificate should be tied to user's login credentials for web app. For authetication, web app should send: userid, password and machine certificate key to web server or database. If those three elements are OK, then user is authenticated on web app.
Is it possible that machine certificates and CA work in that way?