Page 1 of 1

Machine (computer) authentication supported?

Posted: Sat May 29, 2021 5:58 am
by agillis
Hi all,

Does viscosity support windows "machine authentication" (a.k.a. computer authentication)?
Machine authentication uses a machine certificate (in kernel mode) to authenticate the endpoint.
The docs mention user authentication, which is quite different since it makes use or a user certificate (in user mode).

Thank you,
Amos

Re: Machine (computer) authentication supported?

Posted: Mon May 31, 2021 8:13 am
by Eric
Hi Amos,

The closest thing to this would be the cryptoapicert command which allows you to use certificates/keys in the Windows certificate manager/keystore.

https://sparklabs.com/support/kb/articl ... ptoapicert

Regards,
Eric

Re: Machine (computer) authentication supported?

Posted: Tue Jun 01, 2021 12:40 am
by agillis
Thank you Eric for your swift reply.

I think cryptoapicert would work, depending on the privileges of the invoking process.
Normal users have no rights to access "machine" (a.k.a "computer") certificates/keys.
Solutions like Citrix Gateway can use machine certificates for authentication because they rely on a system service.
So I guess my question should be "does Viscosity rely on a service running with system privileges?".

Best regards,
Amos

Re: Machine (computer) authentication supported?

Posted: Wed Jun 02, 2021 7:53 am
by Eric
Hi Amos,

Viscosity relies on a service running with elevated privileges to handle tasks that require elevation like setting up networking. The service can be changed to run as any user your like though other than Builtin System if you wish, as long as that user has access to do things like create PnP drivers and setup networks.

In regards to cryptoapicert, Viscosity will search the machine store first, and if no match is found, will fall back to the local users store.

Viscosity has a built in 30 day trial so feel free to test Viscosity out and see if it suits your needs.

Regards,
Eric