Cross domain or cross forest authentication fails.
Users are not resolved as being ALLOWED when they are in a nested group in the users.allow file.
Cross domain groups not working in version 184.108.40.20653 version.
Product defect 473244 seen in version 220.127.116.1153:
Description: tokenGroups now doesn't get global group memberships
Upgrade to Authentication Services 4.1 Maintenance Fix