Store SID or username in database for AD accounts?

Question

Store SID or username in database for AD accounts?

The C # app I'm developing needs to store some metadata for any users of the app (e.g. app settings, permissions, etc.). We use AD for authorization / authentication.

Is it better to store SID or DOMAIN / Username in application database to identify AD account?

+2

c # active-directory

eyesnz 12 oct. '09 at 21:00

source to share

3 answers

I would keep the SID and use the LookupAccountSID when / if you need to display the name associated with that account.

+3

Jerry coffin 12 oct. At 09:09 PM

source to share

We built a small class to combine the two and only compare against sid. The format is similar to the following line:

"Domain\\User\nS-1-5-21-...........-1129"

This allows us "friendly" names in the database and in the debugger, but all bindings are effectively outside of the meaning.

What happens when the username changes? The data is outdated and remains so :)

BTW, if you do something like this, make sure you can't get the "display name" from the object as you don't want it to be displayed to the user as it might be deprecated. Instead, you must run the LookupUserName () procedure, which performs the correct SID resolution on the account name.

Finally, be sure to save the SID, but you will. You don't want to keep JDoe, and when Jane leaves and John starts a month later, he suddenly has access?

+2

csharptest.net 12 oct. '09 at 21:51

source to share

David · Accepted Answer · 2009-10-12T21:04:03+0000

I did it both ways ...

If you keep the SID, you can rename that account without breaking the app, but don't read it.
If you keep the username then it is easy to read, but you need to update your details if the account is renamed.

Store SID or username in database for AD accounts?

More articles: