Authentication Mode: This option controls whether the SMS server allows only users defined in the SMS to log in or allows AD users with or without an SMS account to log in. If you choose to allow access for non-local users, you must also specify how the New Resource Group will be determined for those users. By default, users are allowed to choose a New Resource Group.

Authorization Mode: This option controls whether the SMS server should query the AD for the user's group membership and attempt to map them to the local SMS groups.

New Resource Group Mapping Mechanism: This option controls how the users logging in using AD should have their New Resource Groups selected. The options include:

1. Allow the user to choose: The user will be prompted to choose a group among their groups to be their new resource group.
2. Use Active Directory Primary Group: The user will be granted their Active Directory Primary Group as their New Resource Group.
3. Use Active Directory Attribute: The user will be granted the New Resource Group nominated as a value within a specified attribute.

New Resource Group Attribute: This attribute will be available if the above option is set to Use Active Directory Attribute. The options include:

1. Telephones [Notes]
2. Group Priority (an advanced attribute)

Mapping Failure: This option tells the SMS server what to do when group membership reported in Active Directory cannot be mapped. The options include:

1. Reject Authentication: The login will be rejected.
2. Accept Authentication with local groups: The login will be granted to the groups recorded in the SMS database. This option is not available if you are allowing non-local users to login.
3. Accept Authentication with the specified group: The login will be granted and the user will be granted this specified group.

Reference: SMS User Guide