Authentications are failing when a domain controller becomes unavailable. Quest Single Sign of for Java is not moving on to the next domain controller.
For faster timeouts, you can explicitly set this to a nonzero value that will fit comfortably in a single Ethernet packet (i.e. won't exercise UDP fragmentation) -- e.g. -Djcsi.kerberos.maxpacketsize=1450 would fit with room to spare. Once you're using UDP (i.e. a nonzero maxpacketsize) then "jcsi.kerberos.sotimeout" comes into play. The default is 15000 (i.e. 15 seconds) and is generally fine.
TCP Failover will still be available if required.