Here's what happened:

1. I set up ssh key so that user could ssh from A to B without a password.
2. I got user's password wrong in some other context too many times, and user's account got locked out. (IT uses Active Directory here)
3. IT unlocked the account. Concurrent to the unlocking, a script was running, calling something like ssh user@B some-health-check-command every 5 seconds or so -- which seemed to work fine before I caused user to get locked out in step 2.
4. IT reports user reliably gets locked out a short time after each unlock attempt.

I thought the ssh key would allow ssh user@B some-command as long as the account is not locked.

But it behaves as if, when user gets unlocked, B suddenly asks for a password and since my command repeatedly runs without supplying a password, the account gets locked out after 5 attempts.

Account cannot be accessed at this time.
Please contact your system administrator.

My questions are...

1. Is that what's happening? Or: what's happening?
2. More importantly: How can I reconfigure things such that my script doesn't cause problems? Can I accomplish what I want without having to install Expect? (I don't know if I have permission to do so)

Other notes: Not using ssh-agent currently. The ssh command is running on our Jenkins master, a linux box. A and B are Mac OS X. user is managed in Active Directory and normally can sign into all three machines. Other than these things and the ssh key I set up, everything else has the default configuration as far as I know.