This is a rather generic error, but one of the reasons that may trigger it is an incorrect definition in the Service account

If the Service Account used to add or rotate the target account has a DN definition in PAM which is not the same it has in AD, because for instance of a typo, then this error will be displayed

For instance, let's imagine that the service account used to rotate the passwords in PAM, SVC_ACCOUNT_DIR, has the following DN definition in its configuration:

CN=SVC_ACCOUNT_DIR, DC=example, DC= com

But in AD the same account has this other definition 

CN=SVC_ACCOUNT, DC=example, DC= com

That will cause SVC_ACCOUNT_DIR not to verify properly and the error to show up

Another use case which may cause this error is having the Target Application defined as a domain name, not as a DC in that domain

In this case if there is a problem with replication of accounts or any other issue between domain controllers, ther will be no proper exchange of credentials with AD and this error will show up

Make sure the definition of the Service Account is consistent in Active Directory and PAM, and also make sure that the Target Application is pointing to a specific Domain Controller, not the generic domain name, which may render back several different DC, to rule out this is a problem with connecting to some of the DC in the domain