Managing policies in a multi KDC environment?

[William Clark]

First a little about my environment:
I have a very large enterprise 60K+ hosts that I support with Kerberos services.  I currently have 10 KDC's that are geographically located.  They are each behind L3DSR VIP's within the reagin that the server resides and there is a GSLB above that which allows me to give out 1 KDC address that is redundant and efficient in all world regions.  Currently I have an outside process that enforces policies and will lock accounts on the master server so that this is propagated down to all the KDC's.

Question:
I would like to use the built in Kerberos policy support, however since I have 10 KDC's, for me to enforce a 5 password errors to lockout type policy would be the same as giving the user 50 attempts if they craft them right.  Does MIT or anyone else have a project to allow use of policies in multi KDC environments like this?


William Clark