Scenario:
AD Forest 1: Contoso.com – Has RDS deployment with RDSH, RDWEB, RDCB roles. No RD licensing and gateway role
AD Forest 2: Adatum.com - User accounts who want to access remoteapp from contoso.com
>Contoso.com has an one-way Outgoing forest trust with Adatum.com.
>Contoso.com has a Universal security group called “AdatumUsers” with Adatum.com users as members.
>Session collection has been created with “AdatumUsers” group having permission.
Problem:
Adatum.com users are able to login to the RD Web Access portal in Contoso.com BUT when they launch one of the published RemoteApp, they are shown RDP login box, after entering credentials, a RDP welcome screen appears, then a “Access is Denied” error message is shown and the session closes when the user clicks OK.
We see three 20499 event with message “ Remote desktop services has taken too long to load the user configuration from server <Server 1> for user <User1>” followed by event 42 indicating the session is closed.
In the AD server, we see “Failure Audit” logs for these attempts.
Has anyone seen this issue before and what is the solution?