There was a problem with how this server was binding itself against Active Directory account provider. Following this suggestion, I changed “LDAP server URI” on “Account provider” from “ldap:// …” to “ldaps:// …” and disabled STARTTLS.
Problem solved.