sawest
commented
7 years ago This is a valid issue but not one that can be solved as easily as on might think. The option you mention deals only with DNN authentication (more specifically with creating new users). The AD provider is concerned only with AD authentication and creating a local DNN user identical to the one in AD. It would not be good if the AD provider did not allow authentication based on an email address in AD being a duplicate of another in the DNN system. Authentication should be based only on AD credentials and should allow a user with a duplicate email to still authenticate.
If then we allow a user to authenticate with a duplicate email, then our only option is to leave the email blank (or change it in some way invalidating it). This also is not a good solution as the DNN account should be the same as the AD account (and the email should be correct).
Therefore, the only solution I think is valid would be to use the same procedure as if you were to check the 'user email as username' option after you have a lot of users in the system. In this situation, you would need to search the user base and change any emails that are duplicated prior to enabling that option.
All my sites have "use email as username" option enabled. This requires emails to be unique, but AD authentication provider still allow to create user with email that already used by another user.
Generally this is not a problem, but it could lead to some unexpected behavior - e.g. after that I could not set default authentication provider via site settings - then I try to do so, it shows error message about duplicate emails and just does nothing.
I think it would be better if AD provider would check for duplicate email for newly created users if DNN provider and "use email as username" both enabled. In case duplicate found, email field could be set to blank and error message displayed/logged.