Confused by authentication failures in /var/log/secure

We have an application (MOVEit Central) that connects to some Linux servers every 15min. Using pam, the machines are using usernames/groups from our Windows DC. When a normal user (in this case me) sshs to the box, we see this: {this is a complete login/logoff} Dec 8 10:40:26 stlxxxapp-prd1 sshd[4492]: pam_succeed_if(sshd:account): requirement "user ingroup unixmove" was met by user "er_wl215421" Dec 8 10:40:26 stlxxxapp-prd1 sshd[4492]: Accepted publickey for er_wl215421 from 172.xx.xx.xxx port 1371 ssh2 Dec 8 10:40:26 stlxxxapp-prd1 sshd[4492]: pam_unix(sshd:session): session opened for user er_wl215421 by (uid=0) Dec 8 10:40:28 stlxxxapp-prd1 sshd[4492]: pam_unix(sshd:session): session closed for user er_wl215421 When the service user account logs in, however, we see this: Dec 8 10:41:30 stlxxxapp-prd1 sshd[5040]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.xx.xx.xxx user=srvmovitc Dec 8 10:41:30 stlxxxapp-prd1 sshd[5040]: pam_winbind(sshd:auth): user 'srvmovitc' granted access Dec 8 10:41:30 stlxxxapp-prd1 sshd[5040]: pam_succeed_if(sshd:account): requirement "user ingroup unixmove" was met by user "srvmovitc" Dec 8 10:41:30 stlxxxapp-prd1 sshd[5040]: Accepted password for srvmovitc from 172.xx.xx.xxx port 1384 ssh2 Dec 8 10:41:30 stlxxxapp-prd1 sshd[5040]: pam_unix(sshd:session): session opened for user srvmovitc by (uid=0) Dec 8 10:41:31 stlxxxapp-prd1 sshd[5040]: pam_unix(sshd:session): session closed for user srvmovitc I am confused as to why this specifically is occurring because the account is setup in AD the same as my own. Dec 8 10:41:30 stlxxxapp-prd1 sshd[5040]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.22.19.123 user=srvmovitc

URL: