Forum Discussion
Gilles,
I do believe I have seen this as a bug. To mitigate this, you can set the number of authentication attempts under AD Auth to 1, and it will terminate the session after each unsuccessful attempt, so user would have to click on a new link to start a new session. As a plus, you can customize the message upon auth failure to give user feedback on what to look out for. For example, you can check the value of AD error message value using this syntax: expr { [mcget {session.ad.last.errmsg}] contains "Invalid user credentials"} and customize feedback to user accordingly on the Deny page based upon the value et in that variable.
You can see if you can get better behavior by using Macros.
Put the Logon action in the macro, change "Max Logon Attempts Allowed" to 1 and configure the macro to loop with a value of 3 failed authentication attempts, and see if the issue is still there.