Users see all applications in RDS 2012 Web access in one-way trust domain environment

Hello!

We have RDS 2012 deployment in domainA.local. There is a one-way trust between domainA.local and domainB.local: A trusts B and B doesn't trust A.

A user from domainB.local authenticates in Web-access interface (wa.domainA.local) and seesevery published application in every collection in the deployment independently of UserGroups setting of collections and applications. This occurs for any domainB user.

In the security log of wa.domainA.local we can find an event :

An account failed to log on.

Subject:

Security ID:                IIS APPPOOL\RDWebAccess

Account Name:                RDWebAccess

Account Domain:                IIS APPPOOL

Logon ID:                0x2C7B16

Logon Type:                        3

Account For Which Logon Failed:

Security ID:                NULL SID

Account Name:                

Account Domain:                

Failure Information:

Failure Reason:                An error occurred during logon

Status:                        0xC000005E

Sub Status:                0x0

Also in network trace on wa.domainA.local kerberos error could be found:

On TGS-REQ for krbtgt/domainB@domainA.local there is an answer: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7), server name krbtgt/domainB.

How to deal with this issue? The aim is to show only specified applications to domainB users.

Any help would be appreciated.