For a remote-access VPN service – to identify whether a genuine authorized corporate asset is connecting, we must check certain parameters to identify the end user machine. Best way would be to utilize digital certificates.
Which is better – computer or user certificate?
| Machine Certificates | User Certificates |
| Uniquely identify a machine on the domain | Uniquely identify a user on the domain |
| Has the FQDN of the workstation | Has the DN of the user |
| Used for identity, authentication and authorization only | Has expanded abilities such as email encryption, code signing |
| Vendor recommended, a standard approach for VPN authentication | Needs a custom template – e.g to set private key as non-exportable |
| Non-admin unable to access computer cert-store – added level of security | Accessible to user |
| Useful in “Start Before Logon” use-case | Desirable for dot1x NAC environment where shared-machines are used e.g Contact Center |
Summary
Functionally both serve similar purpose for users authentication connecting to remote-access VPN. There wasn’t a major benefit identified by choosing one over the other.