Denial of service when using Active Directory for KDC ?

[Tim Alsop]

Hi,
 
I wondered if anybody has any experience of this potential DoS issue :
 
- It is common, when using Active Directory as a KDC for user accounts
to be used when creating service principals, and using the Microsoft
ktpass.exe utility to create a key table file.
 
- It is also possible to configure Active Directory so that when a user
gets their password wrong more than a specific number of times their
account is locked until an administrator unlocks them.
 
- If somebody tries to logon (deliberately, or by mistake) using an
account which is being used for a service principal, and gets the
password wrong many times, we assume that the account will be locked in
the same way as a normal user account would be locked. 
 
- If an account gets locked and it is being used for a service
principal, how does Active Directory handle this ? Does it still issue
service tickets for the principal when it receives a TGS request ? Is
there any special logic in AD so that accounts being used in this way
are not locked ?
 
We plan to do some tests to understand what effect this might have, and
whether there is cause for concern, but I wanted to first see if anybody
else has come across this potential DoS, or has any ideas ?
 
Any feedback welcome.
 
Take care,
 
Tim