With the LDAPS enforcement coming in March I've been running down services configured with plain LDAP.  Our AV environment (4.0 GA now, previously 2.18) is two manager servers in an AD forest of three domains.  The managers are in domain A along with the security groups used for assignments while computer and user objects are in domains B and C.  I've been able to assign stacks to the security groups in domain A and have it work great since the beginning even though documentation says that cross-forest groups and nesting do not function / are not recommended.

I imported our root CA cert to each manager, disabled NTLM in the environment variable (error 401 from agents otherwise), and switched to LDAPS for each trusted domain.  No errors there except that when logging in there are no stacks attached.  The svservice.log file says that 0 attachments are assigned and looking up that account in the manager portal confirms 0 assignments and attachments so it obviously can't query through the group in domain A for the users in domain B/C.  Using a group in the same domain as the user or directly assigning the account works fine. 

Have I overlooked something small or am I doomed to duplicate my security groups for app assignments to domains B and C now that I'm using LDAPS?  Appreciate any insights that people may have!