Hello lupingyao,
Yes, that is possible.
You have to configure secondary authentication in your ASA and the Active Directory part will depend on which protocol you are using.
You can refer to this link for the double-authentication:
http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html
Here you can check the LDAP mapping in case you want to try it:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html
Please rate this post if you find it useful.
Regards.
- Javier -