One of the best ways to control access to your Web application is to require users to log on with a client certificate. Certificates contain digital information about the user in a way that is very difficult to impersonate.
With Internet Information Server, you can map client certificates to Windows NT user accounts. It might be useful to group authenticated individuals into protected access role groups. In this way, your application would require only a few Windows NT domain accounts that express various roles that clients could play (such as buyer, seller, supplier, and manager). These certificate-based security roles can then be extended into the roles used by Microsoft Transaction Server.
Whenever a user attempts to log on to a Web application requiring a certificate, the user's Web browser automatically forwards the certificate to the server. The server then authenticates the user before permitting access to an ASP application. Your application can use ASP scripts to read the fields on a certificate. For example, you can access the user name or company name fields from the certificate, and thereby restrict content according to the company's designated pages.
For More Information For more information about using certificates, see Security and Certificate Server in this chapter, and search for "The Microsoft Internet Security Framework: Technology for Secure Communication, Access Control, and Commerce" in MSDN Library Visual Studio 6.0. Securing Microsoft Transaction Server, in this chapter, introduces two ways to protect component interface access: client impersonation and client authorization.