Like the checkbox says, you can extract the group IDs from the ticket. Not the group names. Get the group SID from your AD admin and replace the group name in your rules with the SID string.
Ok works now.
My mistake was to use Authentication.GetUserGroups in one rule which returns empty value and blocked all other rules.
Also using Kerberos auth, all group names fetched from kerberos ticket are without domain name part ie: domain\groupname -> groupname
with NTLM help the Authentication.UserGroups returns groupnames without domain part
without NTLM help, only sid ids are returned as value ie: S-1-5-21-796845957-1979792683-725345543-34410
have a nice day.