For a remote-access VPN service – to identify whether a genuine authorized corporate asset is connecting, we must check certain parameters to identify the end user machine. Best way would be to utilize digital certificates.
Which is better – computer or user certificate?
Machine Certificates | User Certificates |
Uniquely identify a machine on the domain | Uniquely identify a user on the domain |
Has the FQDN of the workstation | Has the DN of the user |
Used for identity, authentication and authorization only | Has expanded abilities such as email encryption, code signing |
Vendor recommended, a standard approach for VPN authentication | Needs a custom template – e.g to set private key as non-exportable |
Non-admin unable to access computer cert-store – added level of security | Accessible to user |
Useful in “Start Before Logon” use-case | Desirable for dot1x NAC environment where shared-machines are used e.g Contact Center |
Summary
Functionally both serve similar purpose for users authentication connecting to remote-access VPN. There wasn’t a major benefit identified by choosing one over the other.