To be safe, it is only through an HTTPS connection.
In a nutshell, do not explain - read the manuals and slides on the topic of authentication, sessions.
After a person is identified, the program must determine what rights he has in the system: what is possible and what is not.
Working with certificates is, for the most part, a sysadmin job.
On a working machine, it is enough to work with a self-signed certificate. The main thing is that the web server supports HTTPS.

If the grid is local at home, then you don’t have to worry about encryption, all the same, packets will go through your router. If you have a corporate local network, then most likely you have an Active Directory, a DNS server.
In principle, in a local network, if it is limited by your devices (switch hubs, etc.), then you don’t have to worry about HTTPS. Also, if your organization’s local network is distributed between cities (connected via VPN), then you shouldn’t bother with HTTPS either, let the admins think about the security of the local network (for example, they can use sophisticated VPN encryption).
With Active Directory, you get a very simple authentication model (NTLM or Kerberos) if Kerberos is configured of course. In your project, simply indicate that you want to use Windows authentication, and then it's a matter of technology.
No registration is needed, your users already have it on KDS.