We are using MFA with the JSS so that any admins have to produce 2nd factor (app or phone call). We notice that we get two notifications for 2FA upon logging in. Looking at the logs on the LDAP and MFA servers the JSS is doing two LDAP requests. So what happens is the following:
enter username and password
approve using app or answering phone
wait
approve again using app or answering phone
login
Is this because the JSS is making one LDAP request for credentials and then one for group memberships? Is there anyway to prevent this behavior?