We use pam_tally2 in our system-auth config file which works fine for users. With services such as SCOM or Nervecenter it causes lockouts.

Same behavior on RHEL5 and RHEL6

This is /etc/pam.d/nervecenter

#%PAM-1.0
# Sample NerveCenter/RHEL6 PAM configuration
# This PAM registration file avoids use of the deprecated pam_stack.so module.
auth         include    system-auth
account      required   pam_nologin.so
account      include    system-auth

and this is /etc/pam.d/system-auth

auth       sufficient     pam_centrifydc.so
auth       requisite      pam_centrifydc.so deny
account    sufficient     pam_centrifydc.so
account    requisite      pam_centrifydc.so deny
session    required       pam_centrifydc.so homedir
password   sufficient     pam_centrifydc.so try_first_pass
password   requisite      pam_centrifydc.so deny
auth        required      pam_tally2.so deny=6 onerr=fail
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3 minclass=3  minlen=8 lcredit=1 ucredit=1 dcredit=1 ocredit=1 difok=1
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember=8
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

The login does work but it also triggers the pam_tally counter up until it hits 6 "false" logins.

Is there any pam-ninjas around that could spot the issue?

Thanks.