We have multiple local web applications using forms-based authentication against an Active Directory backend.
Our new security policy requires that each user to have a different password for each web site.
The issue is, Active Directory only allows one password per user account.
Can anyone help me figure out a solution to make each user use the same username but with different passwords for each web site?
Then you can't use Active Directory authentication, unless you set up multiple user accounts for each user.
I believe the actual answer to this question is to ring up the geniuses writing this policy, and counter that it should be worded "diffent passwords for each account." Which I think is the actual intent. People should not be reusing passwords among different accounts.
Then go one step further and propose unifying all authentications to a single account. It is easier to secure with MFA, easier to terminate access, easier to address in the form of a lost password, easier to provision/deprovision - and (when the site/provider supports it) makes it possible to remove application-local accounts which usually have stanant passwords that are ripe for brute-forcing.
Going as "required" by the security team" would mean separate passwords for each external website not integrated with SSO/SAML/OIDC, frequently forgotten, rarely updated.
Without being too demeaning, this is such an awful policy (to apply to internal sites using the same authentication source anyway). It necessitates creating multiple, local accounts, which then ALL have to be disabled/deactivated upon termination - leaving you prone. Not to mention - the unlikelihood of being able to maintain a unfied password policy against all of the various solutions.
Why not just create different domains? you can authenticate each application to a specific domain.
Under some conditions you can have same username from 2 domains and thus different password for same username but make sure you read about Trust Relationship before that.
HTH