On Nov 22, 2020, at 11:59 AM, Coy Hile <Coy.Hile@coyhile.com> wrote:
The way I read this, what he’s trying to do is a two-step authentication process:
I really wish people asked *clear* questions. :(
1) Use the machine cert to verify that the user is coming from a trusted device. 2) After it’s verified that that the device is good to go, then determine who the user is and take appropriate action then.
The issue is that for Windows, those are two separate authentications. The host authenticates itself using host credentials. *Not* user credentials. At some random later time, the user may (or may not) authenticate himself using his own credentials. The only way to see that these are from the same machine is to compare machine MAC / NAS IP / port / etc. And, it all depends on how Windows works. Which we don't control. So this question really is "Can I make Windows do X?" And the only answer is "I dunno.. .ask the Windows people".
Does it not, then, depend on where the user is authenticating? If it’s a builtin windows thing (for, say, 802.1x or similar, one may be out of luck. But it might make sense in the context of, say, a VPN client to verify the source device is within policy before authenticating the end user.
Except that with a VPN, it *won't* do host authentication separately. It will only do user authentication. And you *might* get a MAC address or other machine identification. But likely not. Alan DeKok.