Rule-based authentication best practices

If you don’t need rules, don’t use rule-based authentication. Deploying a single authentication method should provide the best performance.
Use the fewest number of rules needed to satisfy your requirements.
Do not use a domain list in a rule if it’s not needed.

When a domain list is used

If there is an IWA or NTLM domain, make it first in the list.
If there is more than one IWA or NTLM domain, place the domain with the most active members first in the list. In other words, make the first domain the one that will most often authenticate users.
Note that if an IWA domain is first in the list and the user is not joined to that domain, the user will be prompted for credentials.
Note that if the first domain in the list is LDAP, every user who matches the rule will be prompted for credentials. The credentials provided will be offered to each successive domain.
If client certificate authentication is enabled with Use the next selected authentication method if Client Certificate authentication fails option selected, the domain list cannot be empty.