Regarding the problem with the user getting locked in SAP I have an idea that might be worth looking at: what kind of technology does this KABA system use for RFC communication? If it is an older version of librfc32.dll or an older version of JCo 2, the problem could be caused by the "new" passwords available since R/3 Kernel release 7.00.
In older releases the password used to be 8 characters, all UPPERCASE, while starting with 7.00 passwords of length 40 characters with mixedCase are possible. Older versions of librfc32.dll and JCo did not yet support the new passwords, so if the user has a long and/or mixedCase password and KABA still uses an older RFC technology, the password might get truncated after 8 chars and/or converted to UPPERCASE, causing a login failure. -- And after a few attempts the user will get locked.
Workaround: give the user a password with at most 8 chars, all UPPERCASE.
Best Regards, Ulrich