Account lockout issues due to the above mentioned reason can be avoided using any of the following options:
- On the authentication server instance, only enable specific authentication protocols that are required/used in your environment.
Example: Select only Kerberos and NTLMv2. This setting will use Kerberos (the most secure option) in most cases and will fallback to NTLMv2 when Kerberos fails. Alternatively you may also enable only Kerberos if your organization’s security guidelines do not encourage the use of NTLM wherever possible.
- Increase the account lock-out threshold configured on the backend Active Directory server.
In addition we strongly recommend that you do not enable
all three authentication protocol options. If you are unsure, its best to keep NTLMv1 disabled, as the Kerberos and NTLMv2 combination should work in most deployments.