Hi, I have an app published into a public server. My client wants that the users can open the webapp login page only if they have a client certificate installed that the browse can verify. Anyone have experience with this?
Do you need client certifcate based authentication?
Or the clients will still have to login with username/password, but in the same time to allow connection only on some specific certificates?
The two scenarios are both interesting, but the customer request is the first: he wants to distribute the same certificate to selected users, they setup the certificate and can access the webapp on the public server and login with their credentials.
This is a good resource page to start with if need to implement certificate based auth
https://learn.microsoft.com/en-us/iis/c ... ntication/
But, if you authenticate against a public facing web server, then the client will face a much serious trouble because he has to manage the certificates.
How are they distributed? Which authority emits the certificates? How he ensures the revocation, e.g. if an user should not have acces in the app anymore?
This scenario is OK to implement when you have acces to CA, in order to manage revocation, certificates renewal, etc., therefore typical client is a large company/corporation with Active Directory, it own CA, etc.
Thanx for your post, I go to study...