Reputation: 605
Is the GUID Property of a UserPrinciple Object in Active Directory Unique and Non-spoofable?
We are using Windows active directory to log users in without a password. The way we are currently doing it like this:
using System.DirectoryServices.AccountManagement;
var context = new PrincipalContext(ContextType.Domain, System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName);
var result = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, Environment.UserName);
Then we have a stored SamAccountName in our database which we match against the returned result.SamAccountName
This is definitely not secure as users could have the same SamAccountName and log in using that.
We are exploring the use of the GUID which exists on the UserPrinciple (result.GUID). My question is, is this variable non-spoofable on the windows side? Can we match the GUID that exists on the UserPrincple object with a variable we store on our database? Is this secure? Does this property always exist on an AD UserPrinciple? If not, how would we securely authenticate a user through this Windows Active Directory Login?
Upvotes: 3
Views: 393
Answers (1)
Reputation: 91
"sAMAccountName" is unique in a domain.
But you can also use both "objectSID" and "objectGIUD" for this purpose,this fields remain unchanged.
Note That If an object is moved to another domain, the objectSID changes, but not the objectGUID.
Overall, the best choice is "objectGIUD"
Upvotes: 1
Related Questions
- Is Guid of a User in ActiveDirectory Nullable?
- C# guid and SQL uniqueidentifier
- Is ASP.NET Identity userid a sequential guid
- Uniqueness for a shortened guid
- Where does the uniqueness of a GUID
- Are Guids guaranteed to be unique?
- Do I need to verify the uniqueness of a GUID?
- guid in System.Guid
- Locally unique identifier
- How deterministic Are .Net GUIDs?