3

We are using Windows active directory to log users in without a password. The way we are currently doing it like this:

using System.DirectoryServices.AccountManagement;

var context = new PrincipalContext(ContextType.Domain, System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName);
var result = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, Environment.UserName);

Then we have a stored SamAccountName in our database which we match against the returned result.SamAccountName

This is definitely not secure as users could have the same SamAccountName and log in using that.

We are exploring the use of the GUID which exists on the UserPrinciple (result.GUID). My question is, is this variable non-spoofable on the windows side? Can we match the GUID that exists on the UserPrincple object with a variable we store on our database? Is this secure? Does this property always exist on an AD UserPrinciple? If not, how would we securely authenticate a user through this Windows Active Directory Login?

Thomas
  • 555
  • 7
  • 29
  • 2
    A GUID is guaranteed* to be unique given the parameters of its creation. If someone were to figure out those parameters, though, they could easily recreate it, so I wouldn't depend on it for purposes of security. – Abion47 Aug 07 '18 at 01:30
  • I'm more concerned with the the possibility of spoofing a GUID on Windows AD (ex, I know someone else's GUID and somehow inject that into my Windows AD profile). If I'm understanding your response correctly, I'm not as worried with 2 users generating identical GUIDs. Do you have any thoughts on this? Thanks! – Thomas Aug 07 '18 at 01:58
  • 1
    I'm not familiar enough with Windows AD to make suggestions, but as far as the GUID goes, I'd imagine the same concept applies. .NET is not responsible for creating a GUID - Windows is. The .NET implementation is just a wrapper on top of it, and I bet the Windows AD use of them is the same. GUIDs are designed to be unique, not secure. You use them purely for the purpose of identification (hence the "ID" part of the name). [They are not cryptographically secure, nor are they intended to be.](https://stackoverflow.com/questions/17408572/is-microsofts-guid-generator-cryptographically-secure) – Abion47 Aug 07 '18 at 05:42
  • Got it! That makes perfect sense. In essence, I shouldn't rely on GUIDs for a password like authentication as (even though they're unique) they're not cryptographically secure. Then the overarching question still lies, is there a secure way to authenticate users with our server with just the `UserPrincipal` object? – Thomas Aug 07 '18 at 18:11
  • 1
    Correct me if I'm wrong, but isn't the `UserPrincipal` object the representative of a user _after_ they have successfully logged in? I doubt there is going to be anything you can use in there to store cryptographically secure keys. The main problem here is that you are trying to login people to your service without a password, which is inherently insecure. If you want to secure it, you're going to need some other form of secure identification, like biometrics, MFA, or a crypto key generated from their MAC address or something. – Abion47 Aug 07 '18 at 18:48
  • The question you need to ask yourself, then, is if you really need this service to be cryptographically secure. If not, then the concern isn't security but rather identification, for which GUIDs are perfectly sufficient (assuming the user gets the same GUID on every login, which I don't know). If yes, you are going to need to come up with some other source of cryptographically secure data that isn't dependent on the user's session data _after_ they have already logged in. (And you probably should've gone with the password approach from the start.) – Abion47 Aug 07 '18 at 18:52

1 Answers1

1

"sAMAccountName" is unique in a domain.

But you can also use both "objectSID" and "objectGIUD" for this purpose,this fields remain unchanged.

Note That If an object is moved to another domain, the objectSID changes, but not the objectGUID.

Overall, the best choice is "objectGIUD"

according to https://social.technet.microsoft.com/Forums/windowsserver/en-US/a5c0a863-cad1-4df8-a194-cb58f24ab1e6/is-objectguid-unique-in-the-domainforest?forum=winserverDS

Sina Akbari
  • 91
  • 8