I've an implementation of Identity Server 4 with ASP.NET Identity. I asked an earlier question about how I would apply certain login rules and received an answer explaining how I could add some options in Startup.cs. Here's what I added to the ConfigureServices method:

services.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
    options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(15);
    options.Lockout.MaxFailedAccessAttempts = 5;
    options.Password.RequiredLength = 9;
    options.Password.RequireDigit = true;
    options.Password.RequireLowercase = true;
    options.Password.RequireUppercase = true;
    options.Password.RequireNonAlphanumeric = false;
    options.SignIn.RequireConfirmedEmail = true;
})
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();

The password rules seem to work, but the lockout rules have no effect. Is there something I need to enable?

Not sure how I missed this. The lockout feature happens as part of the sign-in process in the PasswordSignInAsync method on the SignInManager. The line of code I needed to change is part of the Login method in the AccountController:

SignInManager.PasswordSignInAsync(
    model.Email,
    model.Password,
    model.RememberLogin,
    lockoutOnFailure: true); // <- HERE