Hi,
there exists a trace location that should provide useful information for such cases. It is described in SAP note:
1493272 - A user gets locked automatically
My suggestion is add the location com.sap.security.core.userlocking as
specified in the attachment to the note and once it is added, set that
location to DEBUG and wait for the user to be locked again. Hopefully additional information concerning the origin of the bad credentials will be written to traces.
Exactly how you capture the traces depends on the frequency in which
the user becomes locked. For example if the user becomes locked every
few minutes, after adding the location in the configtool and
restarting the system, I suggest using the Security Troubleshooting
Wizard to do so. Refer to note 1332726 - Troubleshooting Wizard and
its attachments. Create a custom incident that is a copy of the
Authentication incident and add this location
com.sap.security.core.userlocking to the newly created incident
Set the wizard to use this new incident for trace collection and wait
for the user to become locked. Then immediately stop the wizard's
trace collection
I
f the locking occurs less frequently than every few minutes, it is
preferable to use the NWA to adjust the severity of these locations
and their sublocations to DEBUG and wait for the issue to reoccur
com.sap.security.core.userlocking
com.sap.engine.interfaces.security
com.sap.engine.services.httpserver.HttpTraceRequest.traceRaw
com.sap.engine.services.httpserver.HttpTraceResponse.traceHeaders
com.sap.engine.services.security.authentication
com.sap.security.core.logon
com.sap.security.core.ticket
com.sap.security.core.util
com.sap.security.core.server.jaas
See Log Configuration with SAP NetWeaver Administrator
http://help.sap.com/saphelp_nw73/helpdata/en/47/af551efa711503e10000000a42189c/content.htm
Don't forgot to change these back to default severity levels after the
issue has captured in the traces
Regards,
David