(3rd party SAML)-->DomainB users in DomainA matched with email address

I'm reviewing RAS and am running into an issue trying to use our company SAML authentication to log users into the resource "DomainB" using the accounts domain "DomainA" users. A and B have 2 way trust with no restrictions.
-CA is server01.DomainB.local\DomainRootCA
-For testing there is a user account in both domains that match the SAML email address used for testing.
- I have gotten authentication working with test user accounts in DomainB using enrolman@domainb.local.
-If I change the authentication domain to "DomainA" authentication fails with the error below on the enrollment server.

[I 6D/00000025/T1B08/P1A88] 28-10-24 11:17:55 - No valid certificate for user jack.hanna (CN=hanna\, jack,OU=Users,OU=company,OU=Desktop,DC=hometown,DC=local) was found. A new certificate needs to be enrolled
[W 6D/00000025/T1B08/P1A88] 28-10-24 11:17:58 - Failed to enroll certificate for user jack.hanna (CN=hanna\, hanna,OU=Users,OU=company,OU=Desktop,DC=hometown,DC=local) (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied.

-On the CA there is a Failed Request. "Configuration information could not be read by the domain controller...." " Denied by Policy Module"
-If I change the EnrollMan account to enrolman@domainA.local the Enrollment server says Unavailable.
-DomainA users can log into DomainB RDSH servers.

What am I missing?

 

I got it working after changing 2 way trust to a forest trust and following

AD CS: Deploying Cross-forest Certificate Enrollment
https://learn.microsoft.com/en-us/p...nd-2008/ff955845(v=ws.10)?redirectedfrom=MSDN