Ok – here’s the scenario:
If you have an application which stores the principals in a sql database and you have an AzMan store against which you want to run access checks. How can you combine these?
First of all you have to map your principals to Custom SIDs.
When creating custom SIDs you must establish a SID design for your application. For example, you might have S-1-9-AppInstanceGUID-UserRID, where 9 is the resource manager subauthority, AppInstanceGUID is your Application ID and UserRID is a unique number for the user in the scope of the application instance.
e.g. S-1-9-1-1 for the first app and the first user.
The table that stores the principals and the SIDs has the following schema:
Username varchar(50) NOT NULL, Primary Key
ID int NOT NULL Identity
PasswordHash varchar(50) NOT NULL
Salt varchar(200) NOT NULL
Sid varchar(50) NOT NULL
The ID column will help to generate unique user RIDs.
The stored procedure to insert new users and generate a SID:
CREATE PROCEDURE dbo.AddUser
INSERT INTO utSid
(Username, Salt, PasswordHash, Sid)
VALUES (@Username, @Salt, @PasswordHash, @AppID)
update utSid set Sid = @AppID + ‘-‘ + Convert(varchar,@@Identity) where ID = @@Identity
select @AppID + ‘-‘ + Convert(varchar,@@Identity)
Maybe not the most elegant t-sql – but it works. Another option could be to use a column expression to form the SID value….
Passwords, Hashes and Salts
Obviously we don’t want to store the cleartext passwords of our users. We use a salted hash instead. The password hash is formed through : hash(salt, password) by using PKCS#5 which is exposed in the .net framework in the PasswordDeriveBytes class. The salt is a random number generated by RNGCryptoServiceProvider (a cryptographically strong random number generator).
private byte generateSalt(int length)
byte salt = new byte[length];
private string generateHash(string password, byte salt, int iterations)
PasswordDeriveBytes p = new PasswordDeriveBytes(password, salt, “SHA1”, iterations);
in part 2 i will show how to interact with the AzMan store.