locked
"CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity" when testing AutoDiscover for a EOP mailbox RRS feed

  • Question

  • We have an existing ADFS server that we've used for years to authenticate Office 365 services. It is configured for Duo MFA and has been working fine without issue for some time. We are trying to migrate to Exchange Online with a staged hybrid migration, but running into ADFS errors. AutoDiscover fails for a migrated mailbox with an authentication error and we see event ID 325 in the ADFS logs every time we try AutoDiscover or run the Microsoft Connectivity Analyzer or the Microsoft Support and Recovery Assistant for Office 365. 

    Here are the details of the 325 error, it seems to indicate there is a problem with the authorization rules. 

    The Federation Service could not authorize token issuance for caller 'domain\username
    '. The caller is not authorized to request a token for the relying party 'urn:federation:MicrosoftOnline'. See event 501 with the same Instance ID for caller identity. 
    
    Additional Data 
    Instance ID: 3eff1dbe-92bf-4ff0-8dec-6373c7e93f13 
    Relying party: urn:federation:MicrosoftOnline 
    Exception details: 
    Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity domain\username for relying party trust urn:federation:MicrosoftOnline.
       at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace) 
    User Action 
    Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.
    
    An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.  
    
    Additional Data 
    
    Caller:
     domain\username
     
    OnBehalfOf user:
      
    ActAs user:
      
    Target Relying Party:
     urn:federation:MicrosoftOnline 
    
    Device identity:
      
    User action: 
    Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
    
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name 		domain\username 
    http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid	S-1-5-21-2498087-2094072233
    http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid S-1-5-21-2498087-2094072233
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 	S-1-5-21-2498087-2094072233
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 	S-1-1-0 
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 	S-1-5-32-545 
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 	S-1-5-2 
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 	S-1-5-11 
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 	S-1-5-15 
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 	S-1-5-21-2498087-2094072233
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 	S-1-5-21-2498087-2094072233
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 	S-1-5-21-2498087-2094072233
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 	S-1-5-21-2498087-2094072233
    http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 	2018-09-20T13:37:41.870Z 
    http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod 
    http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password 
    http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime 				2018-12-06T15:36:13.172Z 
    http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application 	Microsoft.Exchange.Autodiscover 
    http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent 	Microsoft Office/15.0 (Windows NT 6.2; Microsoft Outlook 15.0.4615; Pro; MS Connectivity Analyzer) 
    http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path /adfs/services/trust/2005/usernamemixed 
    http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork
    http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id		18ed02a0-c198-4040-853b-69a5277fb2a5 
    http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip	40.85.91.8 
    http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip 	40.85.91.8 
    http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip 		132.245.52.29 
    http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname 		domain\username 
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn 				username@domain.net 
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn 			username@domain.net

    There are no other 325 events in the logs when attempting to authenticate to the web UI, etc. 

    We want to use ADFS with MFA to authenticate AutoDiscover access, so do not wish to bypass this. 

    Is it possible to modify the configuration of ADFS to allow this authentication attempt?

    Friday, September 21, 2018 8:54 PM

All replies

  • What are your authorization rules and additional authentication rules look like?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, September 21, 2018 11:21 PM
  • The only Issuance Authorization Rules I have for Microsoft Office 365 Identity Platform is Permit Access to All Users. We do have a few Additional Authentication rules, but none that pertain to the AutoDiscover client app. 

    PS C:\Windows\system32> get-adfsrelyingpartytrust -Name "Microsoft Office 365 Identity Platform" | fl AdditionalAuthenti
    cationRules
    
    
    AdditionalAuthenticationRules : NOT EXISTS([Type ==
                                    "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent",
                                    Value =~ "(?i)skype"])
                                     && NOT EXISTS([Type ==
                                    "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent",
                                    Value =~ "(?i)ACOMO"])
                                     && NOT EXISTS([Type ==
                                    "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent",
                                    Value =~ "(?i)lync"])
                                     => issue(Type =
                                    "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value
                                    = "http://schemas.microsoft.com/claims/multipleauthn");

    Monday, September 24, 2018 8:54 PM
  • Did you ever find a solution to this?

    -Eli

    Wednesday, July 24, 2019 10:33 PM
  • I have same issue for one of the user. Did you find a soluction to this?
    Tuesday, November 19, 2019 3:25 PM
  • No, we never found the solution. We ended up creating new Outlook profiles as a work around
    Wednesday, November 20, 2019 12:39 AM
  • No, we never found the solution. We ended up creating new Outlook profiles as a work around

    Ok Thank you.

    I think i might have a soluction but I cant try it.

    Delete User from Office 365 (not from AD) let system recreate and this should work

    Monday, November 25, 2019 8:31 AM