Get currently logged in user's ojectGUID

[MuZZy]

Hi,

I am looking to find a way to get currently logged in user's object GUID
without querying ActiveDirectory. For example, when i log in to my
laptop from home, I'm not on the office network so i can't reach AD but
I'm sure i still can get my AD's objectGUID, as the profile is cached
locally.

Any ideas?

Thank you,
Andrey

 

[Luke Zhang [MSFT]]

Hi Andrey,

I think you may try the ADSI WinNT Provider, it can query the local user:

http://msdn2.microsoft.com/en-us/library/aa746543.aspx

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Willy Denoyette [MVP]]

Hi,

I am looking to find a way to get currently logged in user's object GUID without querying
ActiveDirectory. For example, when i log in to my laptop from home, I'm not on the office
network so i can't reach AD but I'm sure i still can get my AD's objectGUID, as the
profile is cached locally.

Any ideas?

Thank you,
Andrey

No, the objectGUID is not part of the profile, so, not cached locally, don't know why you
need this objectGUID anyway.

Willy.

 

[MuZZy]

No, the objectGUID is not part of the profile, so, not cached locally,
don't know why you need this objectGUID anyway.

Willy.

I can explain why do i need it - maybe you can give me a better advice.
Our application currently supports its own set of application
users/logins, but it becomes a problem for our bigger clients who want
all of their software to be "One click login" so that once you are
logged in to Windows, you have access to all apps without need to login
again using those apps' logins. Like in SQL server you can login using
sql account or using windows authentication.

So i want to add mapping of existing application accounts to Active
Directory users, for that i need some user's ID which is reliable and
which doesn't change if user is say renamed (that's why i can't use
principal name for that). SO my idea was to use either GUID or SID, but
as i understand SID can change, but GUID will never change.

In case if the user is currently not on the network i still need to be
able to authenticate him that's why i need something i can query
locally, without access to AD.

I guess, i will go with SID then...

Thank you,
ANdrey

 

[Willy Denoyette [MVP]]

I can explain why do i need it - maybe you can give me a better advice.
Our application currently supports its own set of application users/logins, but it becomes
a problem for our bigger clients who want all of their software to be "One click login" so
that once you are logged in to Windows, you have access to all apps without need to login
again using those apps' logins. Like in SQL server you can login using sql account or
using windows authentication.

Not sure what do you mean by this? SQL server and Windows authentication are different
beasts!

So i want to add mapping of existing application accounts to Active Directory users, for
that i need some user's ID which is reliable and which doesn't change if user is say
renamed (that's why i can't use principal name for that). SO my idea was to use either
GUID or SID, but as i understand SID can change, but GUID will never change.

GUID, and objectSID's don't change by renaming an object, anyway,authentication (in an AD
realm) doesn't use objectGUID's or GUID's or SID, authentication uses kerberos tickets
obtained by a login (specifying login credentials). A kerberos ticket is cached localy and
is valid for a configurable period only, after which it can't be used any longer.

In case if the user is currently not on the network i still need to be able to
authenticate him that's why i need something i can query locally, without access to AD.

I guess, i will go with SID then...

I'm not quite clear on what you mean in your last paragraph, if the user is not on the
network, how do you access network resources? or what do you need to authenticate the user
for?

Willy.

 

[MuZZy]

Not sure what do you mean by this? SQL server and Windows authentication
are different beasts!

GUID, and objectSID's don't change by renaming an object,
anyway,authentication (in an AD realm) doesn't use objectGUID's or
GUID's or SID, authentication uses kerberos tickets obtained by a login
(specifying login credentials). A kerberos ticket is cached localy and
is valid for a configurable period only, after which it can't be used
any longer.




I'm not quite clear on what you mean in your last paragraph, if the user
is not on the network, how do you access network resources? or what do
you need to authenticate the user for?

Willy.

Ok, based on your comments i realized i should be more clear. Give you
an example: say, i have a user in my app:
login: "andrey_app"
password: "password"

Also, that user's windows principal username is: "andrey@domain".
I somehow map andrey@domain to andrey_app (store the mapping in the
database).

Currently, when a user logs in to the application, he provides
andrey_app/password as his credentials and i authenticate him for the
application. What i want to do is to avoid the need for the user to type
in those username/password. If a user choses "Windows Authentication"
i'll take his windows username:

WindowsIdentity user = WindowsIdentity.GetCurrent();

by that name i will get his application username andrey_app and will log
this user in as andrey_app.
And that's what i meant about SQL server and Windows authentication -
when you connect to sql database you can either provide your sql server
login/password or use trusted connection, where sql server will
authenticate you by your windows username.

Now, some clients are using the app remotely with the copy of the
database and later they synch their local db with the main one, so they
might need to be authenticated when outside the network.

 

[Luke Zhang [MSFT]]

You may still consider UserName as mapping index, instead of ojectGUID.
Chaning user account is rare, and you can also add a function to your
system, to support change windows user account mapping.

Sincerely,

Luke Zhang

Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.