I have a lot of Centos servers authenticating to AD and am trying to get a single RHEL system to also authenticate. "id [my ID]" and "getent passwd [my ID]" return the desired output. I can su to the account. But logging in with my ID receives "Permission denied" or "Access denied" depending where I am coming from when sshing in after I enter my password. I can ssh in with my local account. The DS is working. I have repeatedly unlocked the account after the locked notice appears in /var/log/secure. I changed the timezone to match the rest of my systems, and restarted sssd, sshd and ntpd but haven't rebooted, so the logs reflect the old time.

What version of RHEL?
Which Windows server (20116, 2019)?
CentOS that works, which version?

You mention, Where are you unlocking - AD or locally?

Next time try to ssh with "-vvv" flags which will may give you some helpful info.

Also, did you check in event viewer on Windows side when the login fails?

I unlock it locally and verify my account still has access elsewhere.
The "-vvv" option after the password is entered for the AD account returns the message "receive packet: type 51" and "Authentications that can continue: publickey,password" right before "Permission denied". The local account returns "receive packet: type 52" between password and success. They both "send packet: type 50".
Thanks for your help!