Thanks Tim.
I suppose that what confused me is that "# ad auth -u USER -n DOMAIN" command is the only troubleshooting command I was able to find that should confirm if bind account is correctly setup (and it seems I was wrong in using it :-)).
Am I correct in thinking that only these three conditions are enough to make bind account:
1. Service account
2. Password never expires
3. Not restricted at which machine it can log on
Regarding issues from the beginning of the thread, before we tested joining CPPM to Domain with domain admin account we were seeing this in Access Tracker when user tried to authenticate:
After leaving domain and re-joining (that might have been all that was required to fix issue!) authentication requests started coming through. Thanks.
Regards,
NesaM