If BADUSER or BADPASS is seeing in the logs and reports, this refers to the login credentials being rejected.
There are potentially several factors which could lead to this behavior.
Confirm if other users are able to login successfully.
Use the Network Tools to confirm that TPAM is able to connect to a Domain Controller on port 389.
Please ensure that the the WinAD External Authentication settings in TPAM are correct. If necessary, try pointing to a different Domain Controller.
Ensure that the user's password is valid and the account is not locked or disabled.