We're running a Web Agent and we'd like to know why the cookie SMTRYNO
is getting updated on each AuthChallenge call ?

We'd like also to know why the smauthreason 27 is set for all
AuthChallenge ?

Finally, we'd like also to know if there's any other way the number of
attempts remaining/number of failed attempts ?

1. SMTRYNO cookie get updated as it is considered that the full
   authentication hasn't been fully completed yet.

   By returning smauthreason 27, that means that the Policy Server
   hasn't authenticated the user;

2. smauthreason 27 is used in the Advanced Authentication scheme to
   ask the Policy Server and Web Agent to do a redirect.

   Redirection

     The authentication scheme can tell the Policy Server to instruct the
     agent to perform a redirect. To build an authentication scheme that
     provides redirection capabilities, place the URL in the lpszErrMsg
     parameter and return a status code that includes reason code
     Sm_Api_Reason_ErrorMessageIsRedirect.

     For example:

     strcpy (lpszErrMsg, "https://12.12.1.1/display/user.cgi?dn=");

     strcat (lpszErrMsg, lpUserContext->lpszUserName);

     return SM_MAKEAUTH_STATUSVALUE (Sm_AuthApi_Accept,

          Sm_Api_Reason_ErrorMessageIsRedirect);

     This functionality is useful when customizing the workflow of a Web
     application using a standard Agent. However, configuring redirection
     is also useful when using custom agents.

   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/programming/sdks/programming-in-c/authentication-api-in-c.html

3. There are several ways to retrieve bad password count as stated by this KD :

   Retrieve bad password count
   https://knowledge.broadcom.com/external/article?articleId=189084