Cross domain or cross forest authentication fails.
Users are not resolved as being ALLOWED when they are in a nested group in the users.allow file.
Cross domain groups not working in version 220.127.116.1153 version.
Product defect 473244 seen in version 18.104.22.16853:
Description: tokenGroups now doesn't get global group memberships
Upgrade to Authentication Services 4.1 Maintenance Fix