Hello, Our on-premise Active Directory 2012 R2 consists of a single forest with two subdomains. I have installed and configured Parallels RAS v17.1 and configured SAML Single Sign-On authentication against our Azure Active Directory tenant. SSO authentication works fine for accounts in the forest root domain but when I try to authenticate accounts in our subdomains, I get the following error: Logon using SAML failed. Error: Failed to match AD User. (0X00000006) In the RAS console, if I disable the SAML profile and revert to the setting in the Connections --> Authentication tab (All Trusted Domains with the two checkboxes ticked), I can log in with these subdomain accounts just fine. Any idea what might be causing this? Do I need any of the RAS infrastructure to be joined to those subdomains? It is currently all attached to the forest root.