我使用哪个 Active Directory 字段来唯一标识用户?

问题描述

我有一个通过 AD 进行身份验证的 Asp.net MVC 项目.我想将审计信息存储在当前登录用户的表中.我应该在数据库中存储什么?我目前正在使用 SamAccountName 作为我的成员资格和角色提供者.我应该使用这个吗?我应该使用更详细和现代的 UserPrincipalName?如果我们最终使用多个域会怎样?

I have an Asp.net MVC project authenticating through AD. I would like to store audit information in tables for the current logged in user. What should I be storing in the database? I am currently using SamAccountName for my membership and role providers. Should I be using this? Should I use the more verbose and modern UserPrincipalName? What if we eventually end up using multiple domains?

Guid 怎么样?Guid 似乎是显而易见的选择，但我对此一无所知.为什么它可以为空?这个值会改变吗?有什么用?

What about Guid? Guid would seem like the obvious choice but I know nothing about it. Why is it nullable? Does this value change? What is it used for?

根据 SID 与 GUID ...

完全使用 SID 而不是 GUID 的原因是为了向后兼容.Windows NT 使用 SID 来标识资源 ACL 中的用户和组.

The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.

如果您将用户移动到新域，SID 实际上会改变，GUID 将保持不变持续的.在我看来，除非您打算针对 NT4 AD 服务器进行身份验证，否则 GUID 是可行的方法.

SIDs will actually change if you move a user to a new domain, the GUID will remain constant. It looks to me like GUID is the way to go unless you intend to authenticate against a NT4 AD server.

我不知道该怎么做，因为我 2 天都无法接受自己的答案.最深入的解释胜出?

I'm not sure what to do here as I cannot accept my own answer for 2 days. Most in-depth explanation wins?

推荐答案

根据 SID 与 GUID ...

完全使用 SID 而不是 GUID 的原因是为了向后兼容.Windows NT 使用 SID 来标识资源 ACL 中的用户和组.

The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.

话虽如此，我已决定使用 GUID.如果您将用户移动到新域，SID 实际上会发生变化，GUID 将保持不变.只要您不打算在 NT4 AD 服务器上运行您的应用程序，GUID 就是您要走的路.

That being said, I've decided to go with GUID. SIDs will actually change if you move a user to a new domain, the GUID will remain constant. So long as you don't plan on running your application against an NT4 AD server, GUID is the way to go.