With KCD SEG setup, users keep getting locked out of AD accounts when failing to authenticate for email.
When encountering or troubleshooting an issue authenticate Exchange with a certificate, the device can silently create too many fail attempts so that the User’s AD account gets locked out.
The solution to this issue is to remove the username field in the email profile for the KCD setup. The username information should already be included in the client certificate, so this email profile is still valid. However, in the case where authentication fails, the Exchange won’t have an account to count the fail attempts against. It won’t lock out the user’s AD account.