Windows service accounts in are being used to rotate admin credentials in the production environment. The credentials are rotated for the svc account in PAM, show as verified and then becomes locked again instantly.
The AD Timeout was doubled on the Target Application page, from the default 3000ms to 6000ms. After doing this passwords could be rotated using this application. There is still a defect, as there was no indication in the Tomcat log that the timeout had occurred, and was the cause of the rotation failure.