Hello,
This looked like an interesting one, so I did a bit of a dive.
Strap in.
AD accounts from different domains are different accounts.
True, as far as it goes.
Currently EA only support a [1]-[0..1] relation between an EA user and an AD account.
I'm not sure this entirely holds up.
An EA project user account (henceforth "project account") is stored in t_secuser, with a GUID in .UserID and the account name in .UserLogin. (Also .FirstName, .Surname, .Department and .Password; I don't know what this is used for in AD-linked accounts but there is something there.)
In the case of an AD-linked project account, .UserLogin is on the form DOMAIN\UserName; this is what Microsoft refers to as a "down-level logon name".
But there is no relationship between a project account and an AD account as such. There is nothing in t_secuser that specifies that this account is AD-linked; that is a policy on the project level (stored in t_secpolicies.WindowsAuthentication).
I'm not pointing this out to nitpick. Well, not only.
There is a point coming.
I don't think there is a way to allow windows authentication from two domains, and still have only one EA user.
No, but there might be a hack to make it look like there is.
I mentioned t_secpolicies above. Well, one thing conspicuously absent from that illustrious table is any mention of the domain. The domain is instead included in t_secuser.UserLogin. At the same time, it is perfectly possible for a project to feature a mix of AD-linked and non-AD-linked accounts; for instance, you might want to retain the default non-AD-linked "admin" account just in case.
What does this tell you?
It tells me that EA checks whether a project account is a down-level logon name or not. If not, it requires a password to authenticate, but if it is, it contacts the controller for the domain to authenticate.
The thing is, since the domain name isn't in t_secpolicies, it's altogether possible that EA could handle a situation where
different project accounts are linked to different domains. And there's nothing stopping two project accounts from having the same .FirstName, .Surname and .Department.
So provided the project admin can access the project from machines in two domains (not necessarily a single machine connected to both at the same time), it should be possible to import the same person's account details from both.
If this works, there will then be two rows in t_secuser with the same .FirstName and .Surname, but different .UserID and different UserLogin.
The project accounts would not
*be* the same, but the .UserID and .UserLogin aren't very visible in the GUI so they'd essentially
*look* the same.
Of course, the two accounts could end up in different groups if you're not careful -- or perhaps you'd actually like them to be.
User locks are connected to project accounts, so a person could not lock a package using one account and unlock it with the other.
If you're using group-based authentication for the underlying database, and please don't tell me you're not, you'd need to manage that as well. This might be the hard part.
But based on what I can see in the database schema I can find no reason why you couldn't have project accounts linked to different domains, and have EA automatically validate credentials with the correct domain controller for each user.
And if that's possible, then two accounts in different domains can be associated with the same person.
Yummm, that's good cake. Which I still haven't eaten.
/Uffe
