We're looking at exposing some of our internal application data externally via a website. The actual details of the website aren't that interesting, it'll be built using ASP.NET/IIS etc, that might be relevant. With this, I'm essentially I'm looking for a mechanism to authenticate users viewing my website.

This sounds trivial, a username/password is typically fine, but I want more. Now I've read plenty about SSL/x.509 to realise that the CA determines that we're alright, and that the user can trust us. But I want to trust the user, I want the user to be rejected if they don't have the correct credentials.

I've seen a system for online banking whereby the bank issues a certificate which gets installed on the users' computer (it was actually smartcard based). If the website can't discover/utilise the key-pair then you are immediately rejected!

This is brutal, but necessary. Is there a mechanism where I can do the following:

1. Generate a certificate for a user
2. Issue the certificate for them to install, it can be installed on > 1 machine
3. If their certificate is not accessible, they are denied all access
4. A standard username/password scheme is then used after that
5. SSL employed using their certificate once they're "in"

This really must already exist, please point me in the right direction! Thanks for your help :)