Cross domain or cross forest authentication fails.
Users are not resolved as being ALLOWED when they are in a nested group in the users.allow file.
Cross domain groups not working in version 18.104.22.16853 version.
Product defect 473244 seen in version 22.214.171.12453:
Description: tokenGroups now doesn't get global group memberships
Upgrade to Authentication Services 4.1 Maintenance Fix