Cross domain or cross forest authentication fails.
Users are not resolved as being ALLOWED when they are in a nested group in the users.allow file.
Cross domain groups not working in version 22.214.171.12453 version.
Product defect 473244 seen in version 126.96.36.19953:
Description: tokenGroups now doesn't get global group memberships
Upgrade to Authentication Services 4.1 Maintenance Fix