Can a single user have multiple credential sets using MS Active Directory
Solution 1
The answer to this is basically, no. AD allows only one password per user account. Because AD has the user name, and the pre-2000 username, I suppose you could cludge together 2 usernames for one account, but its not a good idea. Any particular reason you need this? Maybe there is a better solution to your needs?
Solution 2
You can not have more than one password, but you can have multiple usernames using multiple UPN extensions.
i.e. for the domain contoso.com you could have the logins: [email protected] [email protected] [email protected]
All of these associated with the same account. However, you would still only have one password.
Solution 3
What you want to do is alter your clients to check authentication against two sources.
In other words, keep your existing database while you are transitioning to Active Directory. Have the clients check the AD account and if that doesn't auth, have them check the legacy auth source.
Any damage you do to make AD accept multiple usernames/passwords will be something you deal with for a long time. Just run parallel authentication sources until you're all transitioned.
Solution 4
I can't really see why you would have a need to do this, but I agree with Sam in that there is no real way to do this.
You can copy a user or give a user the exact same permissions, and even access to the same mailbox and resources etc, but I don't see a way to have multiple usernames for one account.
Related videos on Youtube
14 : 04
13 : 24
08 : 54
11 : 58
03 : 26
Thekwasti
Updated on September 17, 2022Comments
-
Thekwasti over 1 year
We are currently transitioning our existing database based authentication to Active Directory. In the existing implementation, passwords are kept in clear-text in the database (I know this is bad, this is why we are transitioning). When a user logs into our client-side application (not a browser), the application hashes the password using an MD5 hash, and sends it to the server. The server queries the database for the login supplied, hashes the clear-text password, and compares the result.
Because this is a client side application, it takes time to upgrade all of our clients (could be months). So, we would like to support both authentication methods until clients are full transitioned over.
One way of doing this would be to have a single Active Directory user have two passwords, the real password, and an MD5 hash of the password. If they come in with either, they will be authenticated.
Can a single user support multiple passwords in Active Directory?
For example, can the real user Jon Smith have two sets of login passwords: 1. login = "jon", password = "pass1" 2. login = "jon", password = "pass2"
If Jon passes in either of these at login time, he will be successfully authenticated.
Thanks
-
Maximus Minimus almost 15 years???? Sounds like you're describing two separate user accounts to me ????
-
-
ezakto almost 15 years+1 for using dual authentication sources but I would recommend altering the server, not the clients. Have the clients keep sending credentials to the server as they are doing but on the server-side of the application, check AD and then the legacy source. If the client app was abstracted from the authentication source, you wouldn't even need to alter the clients to change how you're checking their credentials. -
Matt Simmons almost 15 yearsDavid: Thanks! I do disagree with the transitioning method, though. I think that in the long term, it would be better to have the client authenticate directly to AD. That would eliminate the need to maintain two systems (the AD source and the abstraction layer), since authentication methods aren't changed so often. That's just my take, though. I may be wrong.
