We are toying with using machine certs with Pulse on IVE 7.3 R7 and have things working pretty well but, have a concern.
Is there a way to match the user's machine certificate to the actual machine? Everything I've seen seems to be around verifying that the certificate is issued by a valid trusted CA, etc, but what if someone puts a valid machine certificate onto multiple machines? We want to lock each certificate to a specific machine. i know we can use non-exportable certs so once installed, the certificat can't be exported and re-installed on another machine but, if someone can get a copy of the orginal cert before it's installed on a machine, we don't want them to put it onto a different machine.
If someone can get a copy of the certificate including the private key and install it then effectively the certificate is worthless as an authentication mechanism. Ideally you want the certificate to be requested by the machine directly so the private key is generated on and only ever exists on the authorized machines keystore. If you need to generate the key and csr manually then you need to ensure the key it is protected by a strong password so even someone gets a copy they need to know the password to install it.
If your users have local admin rights (or better), then there's no such thing as a non-exportable certificate. I have had to extract non-exportable certificates (because the cd in the safe was unreadable) from Windows servers before and it only takes a minute or so (at least on server 2003/2008. I have no experience on windows server 2012).
I seem to remember seeing this type of question before in these forums, and i /think/ that the suggested answer was to use host checker (or some other executable) to return the hardware ID which could then be compared to the value stored for the user in the AD/ldap directory...with the caveat that this is only possible if the auth server is defined as type=LDAP, not 'Active Directory'
Actually, you've asumed that Microsoft (at least in releases up to Server 2008) does more than simply store the certificate info in a file under C:\Users\<username>\Application Data\Microsoft\Crypto\RSA\ that is read-only and owned by the system account. In reality, all I have to do is take ownership of the files under this directory, and then, when I run certutil, the keys are exportable for me (the owner).
Now, if the certificate was installed with "strong private key protection" checked, then my method won't work without that password, but since this is a personal certificate, then the user would have to enter the password to be able to use it for authentication, and therefore be able to decrypt it and (after taking ownership of the file) export it.
No, it may be generated, and only be expected to be used, on a single computer....but this is windows, and with admin rights, anything is possible. I can rename a computer in 2 minutes unless it's a member of a domain, that takes privileges not available to a local-only administrator.
I guess what I'm saying is that if you're just using one test of identity, you can be fooled. If you require the machine to be a member of an AD domain, and check for a domain-issued machine certificate, then you can be relatively sure of the identity of the machine.
Not so sure I understand how and why this wuld work. So you are saying User A can copy the machine cert from Computer B and install it and use it on Computer A? Does make any security sense. The computer cert is generated on that computer and can only be used by that computer. IVE would reject it coming from another computer when it compares the the it with its cert from that computer. Now I can imagine that I am not understanding at all what is going on here, so that being the case, tomorrow I will look for the corrections to my mis or understanding
Any successfully try this and succeeded?