Credentials will sometimes be tried twice, increasing the likelihood of a lockout

[nidem]

The ValidateCredentials function will sometimes try a password twice if the context fails to negotiate.

Reference: https://stackoverflow.com/questions/31374578/authenticate-against-active-directory-once-counts-as-two-invalid-logins

The line leading to this is here:

SharpHose/SharpHose/Nozzles/LDAP/LDAPNozzle.cs

Line 287 in b579c20

return context.ValidateCredentials(username, password);

IMO, there are two ways to mitigate this.

Option 1: Explicitly set the context

With ValidateCredentials, explicitly set the context options to ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing.

New line 287

return context.ValidateCredentials(username, password, ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing);

This is what MS defaults to, but if Negotiate | Signing | Sealing fails it will try SimpleBind | SecureSocketLayer which leads to two failed guesses.

I don't know if there are situations where if you explicitly set Negotiate | Signing | Sealing if it will fail artificially (due to bind, not bad creds).

Option 2: Try different context options with a known good user

If you have a known good user creds, try explicitly using Negotiate | Singing | Sealing. If that fails, then try SimpleBind | SecureSocketLayer and use that for all password guessing.