SNC name for AD sub domain users

Hi Experts,

We'd like to use SAPGUI SSO with Kerberos.

ERP is installed under AD root domain (ROOT.COM) in the forest.

Users are belongs to AD sub domain (SUBDOM.COM) in the same forest.

ERP is installed under ROOT.COM, service user is SAPService @ ROOT.COM.

SNC name in user profile (SU01) is p:testuser@SUBDOM.COM

SAP Logon entry for SSO has SNC name, p:SAPService @ ROOT.COM.

Then user tries to log on via the entry for SSO, the error message "No user exists with SNC name "p:testuser@SUBDOM.COM""

I guess user's SNC name should be changed but I couldn't find what should be changed.

Kindly advise what setting is missing in our environment.

best regards,

Megumi