Active Directory Integration

Any tips on why my AD integration may be failing, or where to start looking / debugging?

Background:

RCS server deployed in database mode.

AD OU set up and permissioned.

Enterprise CA set up and template created and permissioned.

Profile created on the RCS

acuconfig.exe ConfigViaRCSOnly succeeds and provisions machine. Certificate is created by the CA, Computer object is created in the OU.

Logging on to https://127.0.01:16693/   works using Admin and the "Get configured Password" from the RCS

Logging on to https://127.0.01:16693/   fails for Domain accounts.

Am I missing something here? I assume this should work.

Provisioning command:

acuconfig.exe /Verbose /Output Console ConfigViaRCSOnly rcsserver.mydomain.com StandardLan /AbortOnFailure /ADOU OU=AMT,OU=Others,DC=mydomain,DC=com /RCSBusyRetryCount 5

Profile details (domain names changed for obvious reasons)

Profile Name: StandardLAN

Profile Type: Intel AMT

Network Settings
     FQDN will be the same as the Primary DNS FQDN
     IP will be taken from DHCP

Active Directory Integration
     Active Directory OU:OU=AMT,OU=Others,DC=mydomain,DC=com
Access Control List (ACL)      
     User 1: mydomain.com\AMTAdministrators
          User Type: Active Directory
          User has both remote and local access to the realms listed below
          Realms: Redirection, PT Administration, Hardware Asset, Remote Control, Storage, Event Manager, Storage Administration, Agent Presence Local, Agent Presence Remote, Circuit Breaker, Network Time, General Info, Firmware Update, EIT, Local User Notification, Endpoint Access Control, Endpoint Access Control Administrator, Event Log Reader, User Access Control
   
Transport Layer Security (TLS)
     Server authentication used for remote interface
     Server Authentication Certificate Properties:      
          Certificate Authority: ca-cert-001.mydomain.com\MYDOMAIN-ISSUING-CA-001
          Certificate Template: AMTWebServerCertificate
          Common Names (CNs) in certificate: DNS Host Name (FQDN), Host Name, SAM Account Name, User Principal Name, UUID

Network Configuration  
     WiFi
     Do not enable synchronization of Intel® AMT with host platform WiFi profiles

System Settings 
     Enabled Management Interfaces:
     Web UI
     Serial Over LAN
     IDE Redirection
     KVM
          RFB password not defined

     Power Management Settings: Always On (S0-S5), Timeout if idle: 3 minutes
     The Intel® AMT clock will be synchronized with the operating system clock
     Intel® AMT will not respond to ping requests
     Fast Call for Help (within the enterprise network) is Enabled