Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Quel champ utiliser pour l'authentification contre Active Directory ?

ayi

Active Directory user objects include a number of fields that can be considered an identifier. The suivant lists certains of these avec leur label in ADUC et leur attribute name:

Full Name - cn
? - name
User sAMAccountName logon - sAMAccountName
User UPN Logon: userPrincipalName
? - distinguishedName

Je suis trying to get our developers to standardise on using seulement one of these quand writing custom code that authenticates against AD - trouble is Je suis pas sure qui is le "right" one, ou si différent ones are le right one in différent circumstances. Je suis pas even sure tout of le ci-dessus fields should be used!

Has anyone else picked one to use consistanly, et what influenced you in that decision? Any documentation that clarifies le issue?

ayi

A CN (common name) is no good for logging in, parce que a CN alone does pas uniquely identify a user. I could have a

CN=Ryan Ries,OU=Dallas,DC=Domain,DC=com

and I could aussi have a

CN=Ryan Ries,OU=New York,DC=Domain,DC=com

A user's CN is aussi an RDN (relative distinguished name.) They have le même CN, mais différent DNs. You might notice that you run into problems si you have two people in votre organization named Ryan Ries, et you'll have to make le SamAccountName for le second one something like rries2.

A DN (distinguished name) n'est pas good to log in with, parce que who wants to log in to a system avec a username like CN=ryan,OU=Texas,DC=brazzers,DC=com ? While using a DN does uniquely et definitively identify a user, c'est annoying to have to type out. C'est le même kind of concept entre relative paths et absolute paths on a file system. It aussi implies that you know exactly où in le directory structure le object is located sans having to recherchez it. Which you often do not.

Ceci est called Ambiguous Name Resolution (ANR) - searching le directory for a user quand you do pas have his ou her distinguished name.

UPN (User principal name) is pretty good parce que they look like email addresses, they can be le même as le user's corporate email address, they're easy to remember, et they are preferred to log in avec parce que le name will be searched for in le local domain first, avant searching for it in le forest.

Microsoft says: The point of le UPN is to consolidate le email et logon namespaces
so that le user need seulement remember a single name. The UPN is le preferred logon name for Windows users. Users should be using leur UPNs to log on to le domain. At logon time, a UPN is validated premier by searching le local domain, alors le global catalog. Failure to find le UPN in le local domain ou le GC results in rejection of le UPN. The UPN can be assigned, but is pas required, quand le user account is created.

Keep in mind that "not required" bit at le end quand designing votre applications.

SamAccountName is aussi good parce que SamAccountName needs to be unique for everyone in le domain (but pas le forest.) De plus, SamAccountNames are short. Most people log in avec SamAccountNames, even bien que they do pas uniquely identify you in an AD forest, qui is why you have to specify a domain name to go along avec votre SamAccountName so that le system knows what domain you are trying to log in to.

Voici certains great documentation on le issue for further reading:

http://msdn.microsoft.com/en-us/library/windows/desktop/ms677605(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/ms680857(v=vs.85).aspx