Self Service Password Reset
Active Directory environment
"Allow unlock" is set to "True" in forgotten password module
User account is locked by intruder detection
SSPR user is not given opportunity to unlock account
User does not see the "unlock" button on the change password page
No option to unlock is visible on the change password page.
Point SSPR to the primary domain controller.
Problem was with AD synchronization. One domain controller showed the user as locked and the other did not. SSPR was was pointing to a secondary DC that did not show the user account as being locked at all. Pointing to the PDC (which did show the account as locked) allowed the unlock button to be made visible.