3.1.1.1.2 Configurable Translation Database and Corresponding View

  • Article

The Configurable Translation Database is a general purpose database for translation between security principal names and their corresponding SIDs. The Configurable Translation Database columns are the same as the Predefined Translation Database columns, and the view construction is the same. This database SHOULD be constructed using the abstract data model specified in [MS-SCMR] section 3.1.1. There MUST be one row for the "NT SERVICE" domain, as defined in the following table. There MUST be one row per service definition. The mapping rules are defined as follows:

  • For all these entries: Domain DNS Name, Additional Security Principal Name, User Principal Name, Default User Principal Names, and Security Principal SID, the History columns are left empty.

  • For the "NT SERVICE" domain entry, the mapping rules are defined as follows:

    • Security Principal Name is “NT SERVICE”

    • Service Principal SID is S-1-5-80

    • Security Principal Type is SidTypeDomain

  • For each service definition entry, the mapping rules are defined as follows:

    • Security Principal Name is mapped from the ServiceName in [MS-SCMR] section 3.1.1.

    • Security Principal SID is mapped from the ServiceName in [MS-SCMR] section 3.1.1 using the following method:

      1. Convert the ServiceName field to the uppercase, UTF-16 representation.

      2. Take the SHA1 hash of the name:

        1. Hash[0] denoting the first 4 bytes of the resulting hash as an unsigned integer.

        2. Hash[1] denoting the second 4 bytes of the resulting hash as an unsigned integer.

        3. And so on.

      3. Create the SID using the following mapping:

        • S-1-5-80-hash[0]-hash[1]-hash[2]-hash[3]-hash[4]

  • Security Principal Type is mapped to SidTypeWellKnownGroup.

The following table shows two columns in the Configurable Translation Database and Corresponding View as an example with the NT Service Domain and Service Name 'ALG'.

Domain NetBIOS Name: NT SERVICE

Domain SID: S-1-5-80

Security Principal Name

Security Principal SID

Security Principal Type

NT SERVICE

S-1-5-80

SidTypeDomain

ALG

S-1-5-80-2387347252-3645287876-2469496166-3824418187-3586569773

SidTypeWellKnownGroup