What Active Directory field do I use to uniquely identify a user?

I have an Asp.net MVC project authenticating through AD. I would like to store audit information in tables for the current logged in user. What should I be storing in the database? I am currently using SamAccountName for my membership and role providers. Should I be using this? Should I use the more verbose and modern UserPrincipalName? What if we eventually end up using multiple domains?

What about Guid? Guid would seem like the obvious choice but I know nothing about it. Why is it nullable? Does this value change? What is it used for?

Update

According to SID vs. GUID

The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.

SIDs will actually change if you move a user to a new domain, the GUID will remain
constant. It looks to me like GUID is the way to go unless you intend to authenticate against a NT4 AD server.

I’m not sure what to do here as I cannot accept my own answer for 2 days. Most in-depth explanation wins?

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

According to SID vs. GUID

The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.

That being said, I’ve decided to go with GUID. SIDs will actually change if you move a user to a new domain, the GUID will remain constant. So long as you don’t plan on running your application against an NT4 AD server, GUID is the way to go.

Method 2

You might want to use the SID — that’s what the OS itself uses in most cases. SIDs are also unique across domains or workgroups.

The problem with user name alone is that it can be changed, whereas the SID is fixed.

Method 3

If you are using ASP.NET MVC (or Webforms for that matter) with Windows Authentication, why not just use the user name that you get from this property:

HttpContext.Current.User.Identity.Name

This returns Domain/Username of the user. I have worked on corporate web apps that used this for auditing purposes. I would be curious to know if you think this is not unique enough for your purposes.

Also I’m not sure why you would want to store a SID or GUID of the user, as it is very hard to read compared to domain/user when you are viewing audit logs.

Method 4

samAccountName is the user name the user uses to log in with. You can get a little more ‘complete’ by prepending the domain too, but there’s no reason not to use the obvious username field.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x