Reputation: 9003
What Active Directory field do I use to uniquely identify a user?
I have an Asp.net MVC project authenticating through AD. I would like to store audit information in tables for the current logged in user. What should I be storing in the database? I am currently using SamAccountName for my membership and role providers. Should I be using this? Should I use the more verbose and modern UserPrincipalName? What if we eventually end up using multiple domains?
What about Guid? Guid would seem like the obvious choice but I know nothing about it. Why is it nullable? Does this value change? What is it used for?
Update
According to SID vs. GUID ...
The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.
SIDs will actually change if you move a user to a new domain, the GUID will remain constant. It looks to me like GUID is the way to go unless you intend to authenticate against a NT4 AD server.
I'm not sure what to do here as I cannot accept my own answer for 2 days. Most in-depth explanation wins?
Upvotes: 20
Views: 13116
Answers (4)
Reputation: 9003
According to SID vs. GUID ...
The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.
That being said, I've decided to go with GUID. SIDs will actually change if you move a user to a new domain, the GUID will remain constant. So long as you don't plan on running your application against an NT4 AD server, GUID is the way to go.
Upvotes: 8
Reputation: 9580
If you are using ASP.NET MVC (or Webforms for that matter) with Windows Authentication, why not just use the user name that you get from this property:
HttpContext.Current.User.Identity.Name
This returns Domain/Username of the user. I have worked on corporate web apps that used this for auditing purposes. I would be curious to know if you think this is not unique enough for your purposes.
Also I'm not sure why you would want to store a SID or GUID of the user, as it is very hard to read compared to domain/user when you are viewing audit logs.
Upvotes: -1
Reputation: 18654
You might want to use the SID -- that's what the OS itself uses in most cases. SIDs are also unique across domains or workgroups.
The problem with user name alone is that it can be changed, whereas the SID is fixed.
Upvotes: 2
Reputation: 52679
samAccountName is the user name the user uses to log in with. You can get a little more 'complete' by prepending the domain too, but there's no reason not to use the obvious username field.
Upvotes: -2
Related Questions
- how to set username not unique in aspnet identity
- Identity with Active directory Form ASP.NET MVC 5
- Ensure unique Username / Emails
- Ensure unique username
- ASP.NET Identity: Make other fields in AspNetUsers unique key
- User security stamp for Active Directory
- ASP.net MVC Membership Authentication int, nvarchar or uniqueidentifier?
- unique user login
- Identity column in ASP.NET Membership database
- User Identity in asp.net mvc