Menu
I have an Asp.net MVC project authenticating through AD. I would like to store audit information in tables for the current logged in user. What should I be storing in the database? I am currently using SamAccountName for my membership and role providers. Should I be using this? Should I use the more verbose and modern UserPrincipalName? What if we eventually end up using multiple domains?
What about Guid? Guid would seem like the obvious choice but I know nothing about it. Why is it nullable? Does this value change? What is it used for?
According to SID vs. GUID ...
The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.
SIDs will actually change if you move a user to a new domain, the GUID will remain constant. It looks to me like GUID is the way to go unless you intend to authenticate against a NT4 AD server.
I'm not sure what to do here as I cannot accept my own answer for 2 days. Most in-depth explanation wins?
971
The SID (Security IDentifier) is a unique ID number that a computer or domain controller uses to identify you. It is a string of alphanumeric characters assigned to each user on a Windows computer, or to each user, group, and computer on a domain-controlled network such as Indiana University's Active Directory.
Open “Active Directory Users & Computers” on the Domain Controller. Select “Built-in” container, right-click on any of the above groups in the right pane, and open its “Properties” windows. Go to the “Members” tab; there you will see all members of this group. All are privileged users.
In Active Directory, the User Principal Name (UPN) attribute is a user identifier for logging in, separate from a Windows domain login. For more, see Microsoft's User Naming Attributes . The format of the UPN attribute at IU is [email protected] .
The samAccountName is the User Logon Name in Pre-Windows 2000 (this does not mean samAccountName is not being used as Logon Name in modern windows systems). The userPrincipalName is a new way of User Logon Name from Windows 2000 and later versions.
According to SID vs. GUID ...
The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.
That being said, I've decided to go with GUID. SIDs will actually change if you move a user to a new domain, the GUID will remain constant. So long as you don't plan on running your application against an NT4 AD server, GUID is the way to go.
144
You might want to use the SID -- that's what the OS itself uses in most cases. SIDs are also unique across domains or workgroups.
The problem with user name alone is that it can be changed, whereas the SID is fixed.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
