[keycloak-user] kerberos issue

I'm trying to setup ldap & kerberos for username/password auth. I have a slightly unusual setup so maybe I've hit a strange edge case bug. I have a read only ldap replica with users in it, that sources from Active Directory. I setup User Federation of type ldap. I set it up with Vendor: Active Directory so the schema was right. Authentication Type is set to none. I then turned on "Use Kerberos For Password Authentication" and have Allow Kerberos authentication set to false. I ensured a proper krb5.conf and can kinit. I checked the logs and do see the proper kerberosRelm printed out of org.keycloak.storage.ldap.LDAPIdentityStoreRegistry User authentication is failing though. Through some stracing, I can see it trying to send the password to ldap. the ldap replica has no password info though, so this will always fail. Is this expected behavior in this config? It was surprising to me. Thanks, Kevin