Kerberos Authentication fails for some users (RHEL SSSD, PAM - Direct AD integration)

Question

I'm having some trouble with some users not being able to logon to RHEL machines using their active-directory accounts. I've been looking for a solution so many hours but can't seem to find anything, so any help is appreciated.

Listing most important sssd.conf settings:

• services = nss,pam
• id_provider = ad
• auth_provider = ad
• access_provider = simple

/var/log/sssd/sssd_pam.log:

colleague that logs in successfully:

(2024-09-25 14:50:47): [pam] [pd_set_primary_name] (0x0400): [CID#2] User's primary name is colleague_b@corporate.local
(2024-09-25 14:50:47): [pam] [pam_dp_send_req] (0x0100): [CID#2] Sending request with the following data:
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] command: SSS_PAM_SETCRED
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] domain: corporate.local
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] user: colleague_b@corporate.local
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] service: sshd
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] tty: ssh
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] ruser: not set
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] rhost: 10.20.30.40
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] authtok type: 0 (No authentication token available)
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] newauthtok type: 0 (No authentication token available)
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] priv: 1
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] cli_pid: 2254046
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] child_pid: 0
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] logon name: colleague_b
(2024-09-25 14:50:47): [pam] [pam_print_data] (0x0100): [CID#2] flags: 2
(2024-09-25 14:50:47): [pam] [pam_dom_forwarder] (0x0100): [CID#2] pam_dp_send_req returned 0
(2024-09-25 14:50:47): [pam] [pam_dp_send_req_done] (0x0200): [CID#2] received: [0 (Success)][corporate.local]

Colleague failing to login:

[pam] [pd_set_primary_name] (0x0400): [CID#11] User's primary name is colleague_a@corporate.local
(2024-09-25 12:36:47): [pam] [pam_dp_send_req] (0x0100): [CID#11] Sending request with the following data:
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] command: SSS_PAM_AUTHENTICATE
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] domain: corporate.local
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] user: colleague_a@corporate.local
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] service: sshd
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] tty: ssh
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] ruser: not set
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] rhost: 10.20.30.40
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] authtok type: 1 (Password)
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] newauthtok type: 0 (No authentication token available)
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] priv: 1
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] cli_pid: 2200955
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] child_pid: 0
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] logon name: colleague_a
(2024-09-25 12:36:47): [pam] [pam_print_data] (0x0100): [CID#11] flags: 2
(2024-09-25 12:36:47): [pam] [pam_dom_forwarder] (0x0100): [CID#11] pam_dp_send_req returned 0
(2024-09-25 12:36:47): [pam] [pam_dp_send_req_done] (0x0200): [CID#11] received: [9 (Authentication service cannot retrieve authentication info)][corporate.local]
(2024-09-25 12:36:47): [pam] [pam_reply] (0x0400): [CID#11] Local auth policy allowed: smartcard [False], passkey [True]

Colleague that cannot login has full control according to Active Directory: