Login with Pinniped to Active Directory fails for only 1 user account. All other users are able to successfully login using the same kubeconfig file:

Steps to reproduce:

1. Run any kubectl command using a kubeconfig: kubectl get ns -n --kubeconfig=<creds file>
2. Link for token is generated.
3. Paste link into browser.
4. Provide credentials.
5. Log into windows server successfully.
6. Token is generated.
7. Enter token into terminal.
8. Error message is generated.

Error:

Error: could not complete Pinniped login: error handling callback: oauth2: cannot fetch token: 400 Bad Request

Response: {"error":"invalid_grant","error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}

Error: pinniped-auth login failed: exit status 1

The cause should be investigated in Active Directory. 

Possible solutions:

• Change user's password in AD.
• Create a new user account in AD.
• Investigate and resolve the issue in AD.