我使用什么Active Directory字段来唯一标识用户?

时间:2021-11-16 00:47:04

I have an Asp.net MVC project authenticating through AD. I would like to store audit information in tables for the current logged in user. What should I be storing in the database? I am currently using SamAccountName for my membership and role providers. Should I be using this? Should I use the more verbose and modern UserPrincipalName? What if we eventually end up using multiple domains?

我有一个通过AD验证的Asp.net MVC项目。我想将审核信息存储在当前登录用户的表中。我应该在数据库中存储什么?我目前正在使用SamAccountName作为我的会员和角色提供者。我应该用这个吗?我应该使用更详细和更现代的UserPrincipalName吗?如果我们最终最终使用多个域怎么办?

What about Guid? Guid would seem like the obvious choice but I know nothing about it. Why is it nullable? Does this value change? What is it used for?

Guid怎么样? Guid似乎是明显的选择,但我对此一无所知。为什么它可以为空?这个值会改变吗?它是干什么用的?

Update

According to SID vs. GUID ...

根据SID vs. GUID ...

The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.

完全使用SID而不是GUID的原因是为了向后兼容。 Windows NT使用SID标识资源中ACL中的用户和组。

SIDs will actually change if you move a user to a new domain, the GUID will remain constant. It looks to me like GUID is the way to go unless you intend to authenticate against a NT4 AD server.

如果将用户移动到新域,SID实际上会发生变化,GUID将保持不变。除非您打算对NT4 AD服务器进行身份验证,否则我认为GUID是最佳选择。

I'm not sure what to do here as I cannot accept my own answer for 2 days. Most in-depth explanation wins?

我不知道该怎么做,因为我不能接受我自己的答案2天。最深入的解释获胜?

4 个解决方案

#1


7  

According to SID vs. GUID ...

根据SID vs. GUID ...

The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.

完全使用SID而不是GUID的原因是为了向后兼容。 Windows NT使用SID标识资源中ACL中的用户和组。

That being said, I've decided to go with GUID. SIDs will actually change if you move a user to a new domain, the GUID will remain constant. So long as you don't plan on running your application against an NT4 AD server, GUID is the way to go.

话虽这么说,我决定选择GUID。如果将用户移动到新域,SID实际上会发生变化,GUID将保持不变。只要您不打算针对NT4 AD服务器运行应用程序,GUID就是您的选择。

#2


2  

You might want to use the SID -- that's what the OS itself uses in most cases. SIDs are also unique across domains or workgroups.

您可能希望使用SID - 这是操作系统本身在大多数情况下使用的内容。 SID在域或工作组中也是唯一的。

The problem with user name alone is that it can be changed, whereas the SID is fixed.

仅用户名的问题是它可以更改,而SID是固定的。

#3


-1  

If you are using ASP.NET MVC (or Webforms for that matter) with Windows Authentication, why not just use the user name that you get from this property:

如果您在Windows身份验证中使用ASP.NET MVC(或Webforms),为什么不使用从此属性获取的用户名:

HttpContext.Current.User.Identity.Name

This returns Domain/Username of the user. I have worked on corporate web apps that used this for auditing purposes. I would be curious to know if you think this is not unique enough for your purposes.

这将返回用户的域/用户名。我曾参与过将此用于审计目的的企业网络应用程序。我很想知道你是否认为这对你的目的来说不够独特。

Also I'm not sure why you would want to store a SID or GUID of the user, as it is very hard to read compared to domain/user when you are viewing audit logs.

此外,我不确定您为什么要存储用户的SID或GUID,因为在查看审核日志时,与域/用户相比,它很难阅读。

#4


-2  

samAccountName is the user name the user uses to log in with. You can get a little more 'complete' by prepending the domain too, but there's no reason not to use the obvious username field.

samAccountName是用户用于登录的用户名。您也可以通过预先添加域来获得更多“完整”,但没有理由不使用明显的用户名字段。

#1


7  

According to SID vs. GUID ...

根据SID vs. GUID ...

The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.

完全使用SID而不是GUID的原因是为了向后兼容。 Windows NT使用SID标识资源中ACL中的用户和组。

That being said, I've decided to go with GUID. SIDs will actually change if you move a user to a new domain, the GUID will remain constant. So long as you don't plan on running your application against an NT4 AD server, GUID is the way to go.

话虽这么说,我决定选择GUID。如果将用户移动到新域,SID实际上会发生变化,GUID将保持不变。只要您不打算针对NT4 AD服务器运行应用程序,GUID就是您的选择。

#2


2  

You might want to use the SID -- that's what the OS itself uses in most cases. SIDs are also unique across domains or workgroups.

您可能希望使用SID - 这是操作系统本身在大多数情况下使用的内容。 SID在域或工作组中也是唯一的。

The problem with user name alone is that it can be changed, whereas the SID is fixed.

仅用户名的问题是它可以更改,而SID是固定的。

#3


-1  

If you are using ASP.NET MVC (or Webforms for that matter) with Windows Authentication, why not just use the user name that you get from this property:

如果您在Windows身份验证中使用ASP.NET MVC(或Webforms),为什么不使用从此属性获取的用户名:

HttpContext.Current.User.Identity.Name

This returns Domain/Username of the user. I have worked on corporate web apps that used this for auditing purposes. I would be curious to know if you think this is not unique enough for your purposes.

这将返回用户的域/用户名。我曾参与过将此用于审计目的的企业网络应用程序。我很想知道你是否认为这对你的目的来说不够独特。

Also I'm not sure why you would want to store a SID or GUID of the user, as it is very hard to read compared to domain/user when you are viewing audit logs.

此外,我不确定您为什么要存储用户的SID或GUID,因为在查看审核日志时,与域/用户相比,它很难阅读。

#4


-2  

samAccountName is the user name the user uses to log in with. You can get a little more 'complete' by prepending the domain too, but there's no reason not to use the obvious username field.

samAccountName是用户用于登录的用户名。您也可以通过预先添加域来获得更多“完整”,但没有理由不使用明显的用户名字段。