From debugging the logs, I notice that elasticsearch is searching the elastic built-in accounts on active-directory which obviously won't exist.
[2020-07-13T20:37:16,419][TRACE][o.e.x.s.a.AuthenticationService] [] Found existing authentication [Authentication[User[username=_system,roles=[_system],fullName=null,email=null,metadata={}],type=INTERNAL,by={Realm[__attach.__attach] on Node[elasticsearch-3.Host-Name]}]] in request [transport request action [internal:coordination/fault_detection/follower_check]]
[2020-07-13T20:37:16,563][TRACE][o.e.x.s.a.AuthenticationService] [] Found existing authentication [Authentication[User[username=logstash_admin_user,roles=[logstash_admin,logstash_reader,logstash_writer],fullName=Logstash XPack Mgmt ,email=logstash@,metadata={}],type=REALM,by={Realm[native.default_native] on Node[elasticsearch-3.Host-Name]}]] in request [transport request action [indices:data/read/mget[shard][s]]]
[2020-07-13T20:37:16,570][TRACE][o.e.x.s.a.AuthenticationService] [] Found authentication credentials [org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken] for principal [logstash_admin_user] in request [rest request uri [/]]
[2020-07-13T20:37:16,578][DEBUG][o.e.x.s.a.l.LdapRealm ] [<Elasticsearch-Host>] Exception occurred during authenticate for active_directory/corp_ad
com.unboundid.ldap.sdk.LDAPBindException: 80090308: LdapErr: DSID-0C090434, comment: AcceptSecurityContext error, data 52e, v4563
at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2273) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at com.unboundid.ldap.sdk.LDAPConnectionPool.bindAndRevertAuthentication(LDAPConnectionPool.java:1619) ~[unboundid-ldapsdk-4.0.8.jar:4.0.8]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$1.lambda$doRun$0(LdapUtils.java:135) ~[x-pack-security-7.8.0.jar:7.8.0]
at java.security.AccessController.doPrivileged(AccessController.java:554) ~[?:?]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.privilegedConnect(LdapUtils.java:74) ~[x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils$1.doRun(LdapUtils.java:135) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.maybeForkAndRun(LdapUtils.java:100) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils.maybeForkThenBindAndRevert(LdapUtils.java:151) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory$ADAuthenticator.authenticate(ActiveDirectorySessionFactory.java:285) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectorySessionFactory.getSessionWithPool(ActiveDirectorySessionFactory.java:116) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.PoolingSessionFactory.session(PoolingSessionFactory.java:96) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm.lambda$doAuthenticate$1(LdapRealm.java:131) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.xpack.security.authc.ldap.LdapRealm$CancellableLdapRunnable.doRun(LdapRealm.java:314) [x-pack-security-7.8.0.jar:7.8.0]
at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:695) [elasticsearch-7.8.0.jar:7.8.0]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.8.0.jar:7.8.0]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) [?:?]
at java.lang.Thread.run(Thread.java:832) [?:?]
[2020-07-13T20:37:16,578][DEBUG][o.e.x.s.a.AuthenticationService] [] Authentication of [logstash_admin_user] using realm [active_directory/corp_ad] with token [UsernamePasswordToken] was [AuthenticationResult{status=CONTINUE, user=null, message=authenticate failed, exception=LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C090434, comment: AcceptSecurityContext error, data 52e, v4563 ', ldapSDKVersion=4.0.8, revision=28812)}]