If the RADIUS User-Name attribute ( section 5.1) is found in the request, the RADIUS
server MUST ignore this attribute. Otherwise, the RADIUS server SHOULD convert the SID to a
Fully Qualified User Name using Active Directory Domain Services (AD DS). Once the Fully
Qualified User Name is available, the server MUST follow the same processing
rules specified for MS-RAS-Client-Name. If the server fails to obtain the Fully Qualified User Name
from AD DS, the server SHOULD send an Access-Reject message back to the NAS and stop processing.
Used to specify the security-identifier (SID). A security identifier (SID) uniquely identifies a security
principal. Each security principal has a unique SID that is issued by a security agent. The agent can be a
Windows local system or domain. The agent generates the SID when the security principal is created. The SID
can be represented as a character string or as a structure. When represented as strings, for example
in documentation or logs, SIDs are expressed as follows:
The fields of MS-User-Security-Identity MUST be set as follows:
Vendor-Type: An 8-bit unsigned integer that MUST be set to 0x28 for MS-User-Security-Identity.
Vendor-Length: An 8-bit unsigned integer that MUST be set to 2 plus the length of the Attribute-Specific
Value field. Its value MUST be at least 3.
Attribute-Specific Value: This field MUST contain the account SID of the user requesting access in the
format of a binary SID used to authenticate a remote access client.