AzMan and Custom SIDs – Part 1

Ok – here’s the scenario:

If you have an application which stores the principals in a sql database and you have an AzMan store against which you want to run access checks. How can you combine these?

First of all you have to map your principals to Custom SIDs.

When creating custom SIDs you must establish a SID design for your application. For example, you might have S-1-9-AppInstanceGUID-UserRID, where 9 is the resource manager subauthority, AppInstanceGUID is your Application ID and UserRID is a unique number for the user in the scope of the application instance.

e.g. S-1-9-1-1 for the first app and the first user.

Database Design
The table that stores the principals and the SIDs has the following schema:

Username varchar(50) NOT NULL, Primary Key
ID int NOT NULL Identity
PasswordHash varchar(50) NOT NULL
Salt varchar(200) NOT NULL
Sid varchar(50) NOT NULL

The ID column will help to generate unique user RIDs.

The stored procedure to insert new users and generate a SID:

  @Username varchar(50),
  @PasswordHash varchar(200),
  @Salt varchar(200),
  @AppID varchar(50)

  (Username, Salt, PasswordHash, Sid)
  VALUES (@Username, @Salt, @PasswordHash, @AppID)

  update utSid set Sid = @AppID + ‘-‘ + Convert(varchar,@@Identity) where ID = @@Identity
  select @AppID + ‘-‘ + Convert(varchar,@@Identity)


Maybe not the most elegant t-sql – but it works. Another option could be to use a column expression to form the SID value….

Passwords, Hashes and Salts

Obviously we don’t want to store the cleartext passwords of our users. We use a salted hash instead. The password hash is formed through : hash(salt, password) by using PKCS#5 which is exposed in the .net framework in the PasswordDeriveBytes class. The salt is a random number generated by RNGCryptoServiceProvider (a cryptographically strong random number generator).

private byte[] generateSalt(int length)
  byte[] salt = new byte[length];
  new RNGCryptoServiceProvider().GetBytes(salt);

  return salt;

private string generateHash(string password, byte[] salt, int iterations)
  PasswordDeriveBytes p = new PasswordDeriveBytes(password, salt, “SHA1”, iterations);
  return Convert.ToBase64String(p.GetBytes(16));

in part 2 i will show how to interact with the AzMan store.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s