We have an ASP.NET web app running in IIS, with about 200 users, some are inside our LAN and other ones are outside our LAN. Every user has a userid account and a password to login.
Besides those credentials, we want to add more security for accessing that web app with this requirement:
A user will access that web app just and only from its PC. If the user goes to other place and/or uses other PC, and even if its credential login were right, then he/she will not be able to access that web app.
We have been told that we can partially meet this requirement with client-side certificates. If client-side certificate is stored in the user's PC and IIS is configured to accept client side certificates, then only PCs with client certificate would be able to connect to IIS.
However, would it be possible to tight somehow the user's credential login with the client-side certificate stored in user's PC?
Because a user can go to other PC where a client-side certificate is stored and access web app with its own credential login. We want to make that the user access the web app only from its assigned PC, not from other PC.
Client certificates are for one thing: authenticating the identity of the security principal that is attempting to access the application. In the case of client certificates, the certificate is typically mapped to a user account.
If you want to control access for a given account based on where (computer name and/or ip address) the account is authenticating from, the application is the best place for this access check.
If you want to prevent the user from exporting the certificate with private key and importing it on another computer, you can mark the private key as non-exportable when importing the certificate. That may offer some deterrence, but it is only a limitation in the graphical interface, and if their certificate already exists on other computers, or are using a profile type (roaming) that would allow the certificate to be available on another computer, that would not be a suitable option.