The getGroups method of ProjectMatrixAuthorizationStrategy uses the user's ACLContext to iterate through all projects/folders/nodes and find which group permissions are set on each.

In conjunction with the active-directory plugin, with the option "remove irrelevant groups" this causes a problem, since we save the relevant groups upon logging in, when the user is still anonymous. This is done for performance reasons, since going through each AD group everytime a user tries to access a resource is not doable for systems with a lot of AD groups.

This means that for everything on the master where Anonymous doesn't have read access, the groups defined are deemed irrelevant, since we can't access them at the time of calculation. This in turn means that you can't set up a system where access is given through AD groups and anonymous can't already read everything.