We had an issue the today, and has been ongoing over the past few weeks. When a user attaches to the WI and authenticates with their domain credentials, they immediately receive a message indicating their account has been "temporarily locked out". What's interesting is when you look at the domain account via dsa.msc, the users account is not locked out. Here is what the event logs are saying:

Web interface: 5.1.1

1.) open the iis logs on your web interface - C:\WINDOWS\system32\LogFiles\W3SVC1 look for ex*** and the date which relates to your issue (iis logs depending on the activity will rotate once or twice a day).

2.) do a search for the clients ip address

3.) look for --> /Citrix/Metaframe/media/Error24.gif

4.) look for --> 2009-11-17 12:42:44 W3SVC1 clienIPAddress GET /Citrix/Metaframe/auth/login.aspx CTX_MessageType=ERROR&CTX_MessageKey=InvalidCredentials 80 - clientIPAddress Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.1;+MS-RTC+LM+8;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 200 0 0

It turns out (in our analysis) this specific issue had not been going on for a long time. The user in this case was having difficulty keying in their password several times. I Definitely understand the frustration one would experience, especially in a multi domain scenario where its difficult to sync up passwords on each domain due to password complexity requirements.

1.) CTX_MessageType=ERROR&CTX_MessageKey=BlankUsername&InvalidUsername=True

2.) CTX_MessageType=ERROR&CTX_MessageKey=AccountLockedOut

3.) CTX_MessageType=ERROR&CTX_MessageKey=InvalidCredentials

Right now, lets call this little case closed. If we get any more details or can replicate, we can definitely investigate more.

From System Log (1):The description for Event ID ( 2 ) in Source ( HECI ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.
If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwardings .
From System Log (2):The description for Event ID ( 31 ) in Source ( e1express ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.
If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s , Intel(R) 82566DM-2 Gigabit Network Connection.
From System Log(3):The description for Event ID ( 10016 ) in Source ( DCOM ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.
If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s application-specific, Local, Launch, {135D7881-D666-4046-A1DF-7EC7B5785A67}, NT AUTHORITY, SYSTEM,
From Application Log (1):Security policies were propagated with warning. 0x4b8 : An extended error has occurred.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".