Hi Nuruddin,
Kerberos does support a message type to inform the client (aka. your F5) that an account is currently locked out. You can display this message on your login page by enabling "Show Extended Error" option on your AD-Auth action item, or by enumeration the "session.ad.last.errmsg" value within a branch-rule to display a more user friendly error page if you like. You may also perform an AD-Query action right before your AD-Auth action to retrive the current account lockout status (aka. doing some math on the badPwdCount, badPasswordTime and lockoutTime attributes) before initiating the AD-Auth. This approach allows you to configure an AD-independent account lockout threshold on your F5 (slightly lower than AD), so that your F5 will effectively not lockout your internal user accounts anymore.
The "HostAddress" field I was refering to in my previous post, is an informational field used by Kerberos to include the name of the computer system from which the authentication request was initiated. This field will be used by your domain controller to generate a more detailed Err4740 log entry. The difference between your F5 and a Windows system is, that the Windows system will send its NETBIOS name to the KDC but the F5 doesn't. Thats why you will see just an empty "Caller Computer Name" value in your Err4740 log entries.
As Lucas alrady mentioned: The best thing you can do now is to open a support ticket and ask F5 to include support for the "HostAddress" field, so that your F5 can be easily identified as the source of the account lockout. As a workaround for now, you have to search the last related Err4771 log message (aka. pre-authentication failed) and then simply use the included "Client Address" filed to identify your F5 as the origin of the authentication request that has locked out the account.
Cheers, Kai