If you have the Account Lockout feature enabled, unsuccessful attempts to logon via RAS will trigger the lockout.
To resolve the problem, apply SP4 or later.
If your RAS server is NOT a Domain Controller, run Raslock.exe to install the RAALM (Remote Access Account Lockout Manager). In Control Panel / Services, configure its' Startup to use a Domain Admins account (any account that has the right to edit user accounts).
Use Regedt32 to navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters
Edit or Add Value name MaxDenials, a type REG_DWORD, and set the data value to the
number of consecutive bad attempts before locking the account. A value of 0 disables RAS account lockout.