TL;DR: Just look at the image linked below.
We have an RD Gateway and Network Policy Server, both running on Windows Server 2012 R2 in an environment with forest functional level 2008 R2. A new two-way forest trust was created with OtherCompany, and as far as I can tell the trust works fine. However, NPS is failing to allow Remote Desktop users from the trusted domain, but only when those users are in a nested group.
- NPS has basically one rule: Allow if user is a member of group, "Remote Users - Domain Local".
- Within this group are two other groups, "OurCompany Remote Users" (Global) and "OtherCompany Remote Users" (Domain Local).
- Within those groups are individual user accounts from their respective domains.
- Users in "OurCompany Remote Users" have always matched the NPS rule.
- Users in "OtherCompany Remote Users" were not matching the rule.
- I discovered that if I added OtherCompany users directly to the Domain Local group mentioned by the NPS rule that they would start matching.
- Directly adding individual users to resources is not an acceptable long-term arrangement; We need the ability to assign users to groups, and groups to have rights to resources, to avoid a security mess.
I haven't been able to find anyone else with an issue exactly like this. I would appreciate if there were some documented behavior or best practice relevant to this.
