In the context of Security Identifiers (SIDs), the number 21 can have two distinct meanings, depending on its position and the overall structure of the SID. It can represent a domain identifier within the S-1-5 authority, or it can specify the Digest authentication package when found as a sub-authority under the S-1-5-64 (Authentication) SID.
21 as a Domain Identifier (S-1-5-21)
When 21 appears as a subauthority value immediately following S-1-5, it signifies that the SID is a domain SID. The S-1-5-21 structure is characteristic of SIDs assigned to user accounts, groups, and computers within a Windows domain. This specific subauthority value indicates that the subsequent series of numbers (the domain identifier) uniquely identifies a particular domain within a network.
SIDs beginning with S-1-5 are known as "well-known SIDs" and are common in Windows environments. Each number following S-1-5 specifies further details about the security principal.
Here's a look at some common S-1-5 subauthority values:
| Decimal | Name | Notes |
|---|---|---|
| 20 | NetworkService | S-1-5-20 is the well-known SID for NetworkService |
| 21 | Domain | Indicates a domain identifier follows |
| 32 | Users | E.g., S-1-5-32-568 is for the IIS_IUSRS group |
For example, a typical user or group SID in a domain might look like S-1-5-21-XXXXXXXXXX-YYYYYYYYYY-ZZZZZZZZZZ-RRR, where 21 marks the beginning of the domain identifier portion (represented by X, Y, Z). The RRR part is the Relative Identifier (RID) for the specific user or group within that domain.
21 as an Authentication Package (S-1-5-64-21)
In another context, 21 can refer to a specific authentication package when it is a sub-authority of the S-1-5-64 SID. The S-1-5-64 SID represents the Authentication authority, which is used to identify the type of authentication that was used to log on to a system.
Within this specific S-1-5-64 structure, different numbers identify various authentication protocols:
- 10: NTLM authentication
- 14: SChannel authentication
- 21: Digest authentication
Therefore, a SID like S-1-5-64-21 would indicate that the authentication method used was Digest authentication. This type of SID is often associated with process tokens and helps security systems understand the origin and strength of a user's credentials.
Understanding these different meanings of '21' in SIDs is crucial for comprehending how Windows manages security, identifies resources, and tracks authentication methods.
