Does map to guest = bad user work in "server" security mode? Just playing with it a little, it looks like it might be unable to differentiate between bad users and bad passwords under those circmstances. Is that in fact the case?