I'm building Active Directory Authentication into my application and I am planning to link my application's internal accounts to a user's domain SID. It is easier for me to work with the string format of the sid than a byte array so I was planning to store it in the database as a string. How long should I make the field to ensure SID's will not get truncated?
A:
There isn't a maximum length of a SID in SDDL format. String-format SIDs follow the format described here. That simply says "variable number of subauthority or... values". In other words, SIDs in string format (or binary) can be arbitrarily long.
Roger Lipscombe
2009-08-07 15:00:16
Thanks, your link got me to another page where I discovered that there is a max of 15 subathorities. See subauthority count here: http://msdn.microsoft.com/en-us/library/cc230371(PROT.10).aspxWhat I'm not sure how to do now is figure out how all of those different lengths relates to the sddl format. Any thoughts?
Brian
2009-09-04 14:00:42
+2
A:
I had the same question, and I believe the right answer is:
SID as string: 184 characters, or varchar(184) in SQL Server
SID as string of Hex digits: 136 characters, or varchar(136) in SQL Server
SID as binary: 68 bytes, or varbinary(68) in SQL Server
I haven't checked the math myself, but the technique used here looks valid: http://www.secnewsgroups.net/group/microsoft.public.dotnet.security/topic10882.aspx
Refer to the program written by Russell Mangel on Aug 19, 2006, also copied here for reference:
So the answer to my question is:
varbinary(68)-- pure binary varchar(136) -- (68*2) = hexString varchar(184) -- SID String
I wrote a little program to test, notice that .NET 2.0 has SecurityIdentifier.MaxBinaryLength, I didn't know about this.
Console.WriteLine("SID Min. num Bytes: {0}", SecurityIdentifier.MinBinaryLength); Console.WriteLine("SID Min. num Bytes: {0}", SecurityIdentifier.MaxBinaryLength); Byte[] bytes = new byte[SecurityIdentifier.MaxBinaryLength]; for (Int32 i = 0; i < bytes.Length; i++) { bytes[i] = 0xFF; } bytes[0] = 0x01; // Must be 1 bytes[1] = 0x0F; // Max 15 (base10) SecurityIdentifier sid = new SecurityIdentifier(bytes, 0); String sidString = sid.ToString(); Console.WriteLine("Max length of SID in String format: {0} ", sidString.Length); Console.WriteLine(sidString);Results ------------------------------
SID Min. num Bytes: 8 SID Min. num Bytes: 68 Max length of SID in String format: 184 S-1-281474976710655-4294967295-4294967295-4294967295-4294967295-4294967295- 4294967295-4294967295-4294967295-4294967295-4294967295-4294967295 -4294967295-4294967295-4294967295-4294967295
Emil Lerch
2009-11-24 21:08:37