20

I'm building Active Directory Authentication into my application and I am planning to link my application's internal accounts to a user's domain SID. It is easier for me to work with the string format of the sid than a byte array so I was planning to store it in the database as a string. How long should I make the field to ensure SID's will not get truncated?

dthrasher
  • 40,656
  • 34
  • 113
  • 139
Brian Cauthon
  • 5,524
  • 2
  • 24
  • 26

4 Answers4

35

I had the same question, and I believe the right answer is:

  • ID as string: 184 characters, or varchar(184) in SQL Server
  • SID as string of Hex digits: 136 characters, or varchar(136) in SQL Server
  • SID as binary: 68 bytes, or varbinary(68) in SQL Server

I haven't checked the math myself, but the technique used here looks valid: https://groups.google.com/d/msg/microsoft.public.dotnet.security/NpIi7c2Toi8/31SVhcepY58J

Refer to the program written by Russell Mangel on Aug 19, 2006, also copied here for reference:

So the answer to my question is:

varbinary(68)-- pure binary
varchar(136) -- (68*2) = hexString
varchar(184) -- SID String

I wrote a little program to test, notice that .NET 2.0 has SecurityIdentifier.MaxBinaryLength, I didn't know about this.

Console.WriteLine("SID Min. num Bytes: {0}",
SecurityIdentifier.MinBinaryLength);
Console.WriteLine("SID Max. num Bytes: {0}",
SecurityIdentifier.MaxBinaryLength);
Byte[] bytes = new byte[SecurityIdentifier.MaxBinaryLength];
for (Int32 i = 0; i < bytes.Length; i++)
{
    bytes[i] = 0xFF;
}
bytes[0] = 0x01; // Must be 1
bytes[1] = 0x0F; // Max 15 (base10)
SecurityIdentifier sid = new SecurityIdentifier(bytes, 0);
String sidString = sid.ToString();
Console.WriteLine("Max length of SID in String format: {0} ", sidString.Length);
Console.WriteLine(sidString);

Results

SID Min. num Bytes: 8
SID Max. num Bytes: 68
Max length of SID in String format: 184
S-1-281474976710655-4294967295-4294967295-4294967295-4294967295-4294967295-
  4294967295-4294967295-4294967295-4294967295-4294967295-4294967295-
  4294967295-4294967295-4294967295-4294967295
Anton Shchyrov
  • 285
  • 3
  • 15
Emil Lerch
  • 4,416
  • 5
  • 33
  • 43
2

According to ntseapi_x.h:

typedef struct _SID_IDENTIFIER_AUTHORITY {
    UCHAR Value[6];
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY; 

typedef struct _SID {
   UCHAR Revision;
   UCHAR SubAuthorityCount;
   SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
   ULONG SubAuthority[ANYSIZE_ARRAY];
} SID, *PISID;
    
#define SID_MAX_SUB_AUTHORITIES          (15)

A UCHAR is actually an unsigned char which is 1 byte. ULONG is an unsigned long which is 4 bytes.

SID's max data size is 68 bytes: UCHAR + UCHAR + (UCHAR * 6) + (ULONG * 15) = 1 + 1 + 6 + 60 = 68

Converting a SID to a string, like what you would get by calling ConvertSidToStringSid, might look something like this: L"S-1-5-21-66"

  • "S-1" <= is the start of all SIDs
    • 3 characters
  • "5" <= is the identifier authority
    • the numbers are printed as decimals normally. One exception is if the authority is larger 4 bytes, then it is printed as hex, eg. 0x1234...
    • So the max value would be "4294967296" or "0xffffffffffff" or 14 characters
  • "21" & "66" <= are sub-authrities
    • Each can be up "4294967296" or 10 characters, with 15 max sub authorities
  • the sections are delimited by a "-"

SID's max string length is 184: 3 + 1 + 14 + 1 + (10 * 15) + 14 = 183, or 184 counting the null.

You may consider just using MAX_UNICODE_STACK_BUFFER_LENGTH or 256 which fits nicely in memory.

sam msft
  • 537
  • 6
  • 17
1
  1. For string format, the common answer of 184 isn't correct. If authority is between 32 and the maximum of 48 bits, then it must be represented as a hex string, not decimal, and prepended with '0x'. This means instead of a 15-character string needed to represent the maximum 48 bits in decimal, you actually need a (48 bit / 4 bit + 2) 14 character string, meaning (184 - 15 + 14) 183 characters are required for whole SID string. For less than 32 bits, decimal format is used (maximum 10 decimal characters).
Chalky
  • 1,624
  • 18
  • 20
  • 1
    Interestingly, even some of MS own code doesn't honour this. The .NET Security.Principal.SecurityIdentifier constructor accepts the hex format, but the ToString() method always outputs in decimal. – Chalky Dec 31 '18 at 09:48
0

While 184 looks correct, on the official docs there is a different value:

SID - Specifies the security identifier of the domain account. SID is a string with a maximum length of 256 characters.

https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-offlineuseraccounts-offlinedomainaccounts-offlinedomainaccount-sid#:~:text=SID%20is%20a%20string%20with%20a%20maximum%20length%20of%20256%20characters.

sekrett
  • 1,205
  • 1
  • 15
  • 17