Change the Active Directory login behavior with multiple DCs
With the current code handling the Active Directory authentication of users, if you add multiple domain controllers as authentication sources, any error with the user's authentication will cause the authentication to be attempted on the next DC.
Unfortunately, this is also the case with failed passwords. The LDAP protocol has a built-in error message to tell the client that the failure was due to a bad password and not a server or communication issue (LDAPMessage bindResponse(3) invalidCredentials (80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece)).
This causes issues when users make mistakes on their passwords, it causes the AD DCs to register as many failed attempts as there are DCs registered in UTM per each error.
If you have 3 DCs listed as authentication source, you'll have 3 failed logins per attempt causing your account to get locked out after 1 or 2 attempts depending on your AD lockout policy.
Please change the code handling the LDAP authentication so that the LDAP BindResponse invalidCredentials packet isn't considered an error that forces the code to try the next DC but stops authentication there with the failure sent back to the user.
The exact same problem exists on the XG models. We hope Sophos fixes it or at least an option to modify the default behavior.