We have set up two authorization profiles called AD_Machine and AD_User as recommned in Trustsec 2.0 doc. The AD_Machine policy has a condition set on it to look at the AD External Group AD Machines, likewise the AD_User has a condition to look at AD External Group AD Users. At the end of the authorization policy list we have the default policy, this is set to WEBAUTH authorization profile.
What we see is machine auth is granted by the WEBAUTH policy as this is catch all. If I disable WEBAUTH it picks AD_Machine, also if I enable WEBAUTH and remove the AD External Group AD Machines condition it also selects the correct policy.
There seems to be some kind of timing issue when authorizing against an external DB.