If Zimbra is configured with external ldap authentication provider (we authenticate against our AD), the external authentication provider is tried first when authenticating user. The user is able to log in using the external password, and set a password for zimbra account (as we don't provision passwords in zimbra for new users), and they are instructed to use the zimbra internal password when using external mail/calendar clients, as they are not allowed to save the AD domain password on home computers etc.
This authentication provider processing goes on wrong order however. Every time a user logs on using zimbra password, the external password is tried first, and if the user does several logons within short period (like having several calendars subscribed on caldav client), the AD account gets locked. And after that the user cannot log in at all until the account is unlocked. If the process worked the other way, there would be no problem (we could disable account lockout on zimbra, but will not do it for AD; or the zimbra could count only totally failed logins for account lockout counter).
Is there a way to set the authentication process go other way around, or are we the only one suffering from this?