Hello @bjoernt,
I know its (probably too) late and I hope you could already resolve this but still wanted to answer here.
It seems like this is the initial request which just hits the authentication rule set which forces the MWG to respond to the client and offering the authentication methods you have configured (e.g. "Negotiate"). Now, client should come back with a second request including Kerberos details and so authentication should be performed.
To troubleshoot this, more details would be needed and this should be done via SR as debug data is needed which is so sensitive for community. Most likely in such scenarios, clients come back with wrong authentication header or keytab is improperly configured. If there are errors, the error lines should be displayed in mwg-core.errors.log.
So the allowed groups and names rule was not yet working as authentication did not yet happen. Saying more would just be guessing around as this information/data is not enough.
If you have more specific questions, I can try to answer them.
Regards,
Marcel Kutrieba
Technical Support Engineer
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!