What is the maximum length of a SID in SDDL format

Question

I\'m building Active Directory Authentication into my application and I am planning to link my application\'s internal accounts to a user\'s domain SID. It is easier for me to

Answer 1

According to ntseapi_x.h:

typedef struct _SID_IDENTIFIER_AUTHORITY {
    UCHAR Value[6];
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY; 

typedef struct _SID {
   UCHAR Revision;
   UCHAR SubAuthorityCount;
   SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
   ULONG SubAuthority[ANYSIZE_ARRAY];
} SID, *PISID;
    
#define SID_MAX_SUB_AUTHORITIES          (15)

A UCHAR is actually an unsigned char which is 1 byte. ULONG is an unsigned long which is 4 bytes.

SID's max data size is 68 bytes: UCHAR + UCHAR + (UCHAR * 6) + (ULONG * 15) = 1 + 1 + 6 + 60 = 68

Converting a SID to a string, like what you would get by calling ConvertSidToStringSid, might look something like this: L"S-1-5-21-66"

• "S-1" <= is the start of all SIDs
  • 3 characters
• "5" <= is the identifier authority
  • the numbers are printed as decimals normally. One exception is if the authority is larger 4 bytes, then it is printed as hex, eg. 0x1234...
  • So the max value would be "4294967296" or "0xffffffffffff" or 14 characters
• "21" & "66" <= are sub-authrities
  • Each can be up "4294967296" or 10 characters, with 15 max sub authorities
• the sections are delimited by a "-"

SID's max string length is 184: 3 + 1 + 14 + 1 + (10 * 15) + 14 = 183, or 184 counting the null.

You may consider just using MAX_UNICODE_STACK_BUFFER_LENGTH or 256 which fits nicely in memory.