In a new application, password policy was configured to lock out a user after 3 consecutive login attempt failure.
But the account gets locked out after 2 invalid login attempt.
There were multiple User Directory configured for the application where they all point to same LDAP server.
Password Policy is configured to lock out the user after 3 consecutive authentication failures.
User Directory1: Application Users(LDAP1)
User Directory2: Domain Users(LDAP1)
When user1 tries to logon with invalid password, the user is found in both User Directory1 and User Directory 2 because they all are connecting to LDAP1.
Policy Server will attempt BIND with the UserDN returned by the User Directory1 and User Directory2 with the password supplied at the login page.
This would cause 2 Invalid Authentication Attempt and both increase the Failed Login Count.
Although it was 1 login attempt, Failed Login occurred twice.
At the 2nd login attempt with invalid password, the Failed Login exceeds the configured Password Policy to lock out the user.
You need to use one User Directory so the same username would only be found once.
Then the Failed Login will occur only once per attempt.