Hi,
I have been struggling with the same issue recently.
Microsoft recommends (and that's how we got it working) to have a global group in the user's forest and add the user to that group.
In the resource forest, create a Domain Local group and add the user's group to it. The group MUST BE domain local!
Try it out and let me know if it works or not.
P.S.: In theory, it should work also if you create a domain local group and add the user directly - however, it's not recommended.