AD FS Account Lockouts Internal/External tracking

Good day,

We have a few users that are being locked out a few times a day.  The domain controller logs show the account tries to authenticate 5 times and then locks out.  Through the day, the account is authenticated unsuccessfully and most of the time does not reach 5 attempts before the 30 minute counter resets.   The 4740 MS Windows Security logs on the domain controller point to our ADFS server as the Caller Computer Name.  We turned on the extranet security feature last night and set the threshold to 4.  Our internal lockout policy is 5.  With a combination of 4 external and 5 internal attempts with a bad password, users are still being locked out.  I have gather logs for a particular case I am working on today. Name, domain, servers names have all been.  We have Account Management, and Event logging turned on.  I also have turned on AD FS tracing to see if I can gather more logs for this user.  Any help or insight anyone can provide would be greatly appreciated.  My goal is to-

1. Find the source of the lockouts.

2. Prevent user's from being locked out without compromising our security be increasing the lockout thresholds

Domain controller log

Event ID 4740
Source Microsoft Windows security
Log name Security
Task Catergory User Account Management
Computer COMPANYDC
1/26/2015 - 6:15 AM

A user account was locked out.

Subject:
 Security ID:  SYSTEM
 Account Name:  COMPANYDC$
 Account Domain:  COMPANY
 Logon ID:  0x3E7

Account That Was Locked Out:
 Security ID:  COMPANY\johndoe
 Account Name:  johndoe

Additional Information:
 Caller Computer Name: ADFSSERVER

~~~~~~~~~

Event log from ADFSSERVER

EVENT ID 516
Source AD FS Auditing
Log name Security
Task Category 3
Computer ADFSSERVER
1/26/2016 - 6:07 AM

The following user account has been locked out due to too many bad password attempts.

Additional Data

Activity ID: 00000000-0000-0000-0000-000000000000

User:
johndoe@company.com

Client IP:
190.115.180.232,157.56.238.252
nBad Password Count:
4
nLast Bad Password Attempt:
1/26/2016
~~~~~~~~~
Other Event ID 512/516 since 6:15 AM

Client IP:
190.115.179.140,157.56.238.252

Client IP:
206.16.109.48,132.245.38.237

~~~~~~~~~

Event ID 411
Source AD FS Auditing
Log name Security
Computer ADFSSERVER
1/26/2015

Token validation failed. See inner exception for more details.

Additional Data

Activity ID: 00000000-0000-0000-0000-000000000000

Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName 

Error message:
johndoe@company.com-The user name or password is incorrect

Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: johndoe@company.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

~~~~~~~~~

EVENT ID 4625
Source Microsoft Windows Security
Log name Security
Task Category Logon
Computer ADFSSERVER
1/26/2015 - 6:15 AM

An account failed to log on.

Subject:
 Security ID:  COMPANY\adfs
 Account Name:  adfs
 Account Domain:  COMPANY
 Logon ID:  0x95292

Logon Type:   3

Account For Which Logon Failed:
 Security ID:  NULL SID
 Account Name:  johndoe@company.com
 Account Domain:  

Failure Information:
 Failure Reason:  Unknown user name or bad password.
 Status:   0xC000006D
 Sub Status:  0xC000006A

Process Information:
 Caller Process ID: 0xe08
 Caller Process Name: C:\Windows\ADFS\Microsoft.IdentityServer.ServiceHost.exe

Network Information:
 Workstation Name: ADFSSERVER
 Source Network Address: -
 Source Port:  -

Detailed Authentication Information:
 Logon Process:  W
 Authentication Package: Negotiate
 Transited Services: -
 Package Name (NTLM only): -
 Key Length:  0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
 - Transited services indicate which intermediate services have participated in this logon request.
 - Package name indicates which sub-protocol was used among the NTLM protocols.
 - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

~~~~~~~~~

EVENT ID 342
Source AD FS
Log name AD FS/Admin
Task Category Logon
Computer ADFSSERVER
1/26/2015 - 6:15 AM

Token validation failed. 

Additional Data

Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
%Error message:
johndoe@company.com-The user name or password is incorrect

Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: johndoe@company.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)