I have a service account that communicates with a Web Service over HTTPS. I need to verify the calling machine name at the server, and deliver a response that includes this.
In my scenario, it's a security risk for the machine to specify its name in the request due to spoofing (e.g. https://internal.com/GetSoftware?machine=host123)
Question
- Assuming that host123 is domain joined, how can a Windows Service pass along proof that it's domain-joined and prove that the machine name is indeed
host123?
Similar scenarios
Scenarios like this are already in use in:
AD DNS, where machines have permission to publish and update their records, albeit over a non HTTPS port.
Integrated windows authentication to an IIS based webserver, a Microsoft specific challenge response is issued, and a browser like IE would step in and handle including the user token in the response.
I would like to make a similar connection that IE does with IIS for integrated authentication, but for the $machinename.
What approaches should I explore?