tags:

views:

188

answers:

2
Q: 

Storing a Windows SID in a Database for Lookup

I have an ASP.NET MVC application where I need to allow to customers configure MembershipProviders based on their environment, but still be able to map that MembershipUser to a concrete User model in our database.

Membership.GetUser() will give me access to the logged-in user's Membership.ProviderUserKey. I can use this to relate to a User record. Our custom SQL provider will just return the User.Id, but AD is a different story. In that case, ProviderUserKey is an IdentityReference.

These lookups will happen very frequently, as you can imagine (although caching can assist in reducing the lookups at the database level).

I can't decide which route is better to go: Storing the SID as a varbinary or varchar column. This column would not be a primary key and would not have a clustered index. Knowing that I can index strings pretty well, and reading a SID in string format is certainly nicer than binary. Anyone willing to share how they solved such a situation?

Update

I don't know how I missed this SO question when I was searching before I posted, but it seems pretty clear that ActiveDirectoryMembershipProvider and ActiveDirectoryMembershipUser are not quite cut out for the task at hand, as they exist today.

An answer in that SO question linked the following article, where the following was stated:

The relative identifier portion of a SID is unique relative to the domain, so if the domain changes, the relative identifier also changes.

Thus when a User object moves from one domain to another, a new SID must be generated for the user account and stored in the Object-SID property.

However, each group and user has an Object-GUID, which will never change, even if the account is moved. Therefore, it would behoove me to use Object-GUID in my User class, and not Object-SID. Otherwise, someone's User record will be abandoned if they are moved and therefore breaking the relationship between their principal and the data they created.

Unfortunately, ActiveDirectoryMembershipUser doesn't let me get at Object-GUID. So, I'll either have to translate the SID to a GUID after ActiveDirectoryMembershipUser does its work, or create my own MembershipProvider that does everything I need on the spot. Unfortunately, this means I might have to duplicate effort already done for me by ActiveDirectoryMembershipProvider.

+1  A: 

Microsoft stores SIDs as varbinary(85) in sys.server_principals

This is also a unique column, so it must have an index...

gbn  2009-10-27 05:38:00
This is a good answer for my original post, so I'll give you credit. Unfortunately after researching this more, it looks like I don't want SID at all (see Update). Thanks.
HackedByChinese  2009-10-27 05:41:24
A: 

Sounds like you're making this a lot more difficult than it needs to be. What do you need a SID or GUID for? You already have a unique, perfectly readable identifier for the users account maintained in ActiveDirectory.

It's called "the username". Hopefully it's the same username as stored in your apps "user" table.

Your app just needs to know if that username successfully authenticated with ActiveDirectory. So if they successfully log in - you just store the fact that they are authenticated in your Session variables.

If they are configured to use the db user login, if successful set the same Session variable indicating that they successfully logged in.

No fancy GUIDs or SIDs ... simple.

Ron

Ron Savage  2009-10-27 05:56:48
Usernames can and do change (think about a user's last name changing after they get married).
HackedByChinese  2009-10-27 06:27:33
Yes they do, and depending how they handle that in Active Directory your SID and/or GUID would change as well. Don't avoid the simple solution simply because there is some maintenance involved - because there always is some. The simpler your solution - the simpler the maintenance.
Ron Savage  2009-10-27 14:23:55
Hence my update. Object-SID can change, and therefore I won't be using it. Object-GUID will not change, unless an administrator changes it or recreates the account. I'm fine with leaving it to a maintenance task for that particular situation, since it will be considerably more seldom then a renamed account. However, if I use the name, it changes, and they log in the system will create a new User record and now I've got duplicated/orphaned data. We can't afford to fix or clean up data every time this happens, if we can avoid it up front. Believe me, I'm not avoiding simple purposely.
HackedByChinese  2009-10-27 15:21:47

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP