We have an existing ADFS server that we've used for years to authenticate Office 365 services. It is configured for Duo MFA and has been working fine without issue for some time. We are trying to migrate to Exchange Online with a staged hybrid migration,
but running into ADFS errors. AutoDiscover fails for a migrated mailbox with an authentication error and we see event ID 325 in the ADFS logs every time we try AutoDiscover or run the Microsoft Connectivity Analyzer or the Microsoft Support and Recovery Assistant
for Office 365.
Here are the details of the 325 error, it seems to indicate there is a problem with the authorization rules.
The Federation Service could not authorize token issuance for caller 'domain\username
'. The caller is not authorized to request a token for the relying party 'urn:federation:MicrosoftOnline'. See event 501 with the same Instance ID for caller identity.
Additional Data
Instance ID: 3eff1dbe-92bf-4ff0-8dec-6373c7e93f13
Relying party: urn:federation:MicrosoftOnline
Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity domain\username for relying party trust urn:federation:MicrosoftOnline.
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)
User Action
Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.
An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.
Additional Data
Caller:
domain\username
OnBehalfOf user:
ActAs user:
Target Relying Party:
urn:federation:MicrosoftOnline
Device identity:
User action:
Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name domain\username
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid S-1-5-21-2498087-2094072233
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid S-1-5-21-2498087-2094072233
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-2498087-2094072233
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-1-0
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-32-545
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-2
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-11
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-15
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-2498087-2094072233
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-2498087-2094072233
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-2498087-2094072233
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid S-1-5-21-2498087-2094072233
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 2018-09-20T13:37:41.870Z
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime 2018-12-06T15:36:13.172Z
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application Microsoft.Exchange.Autodiscover
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent Microsoft Office/15.0 (Windows NT 6.2; Microsoft Outlook 15.0.4615; Pro; MS Connectivity Analyzer)
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path /adfs/services/trust/2005/usernamemixed
http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork
http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id 18ed02a0-c198-4040-853b-69a5277fb2a5
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip 40.85.91.8
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip 40.85.91.8
http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip 132.245.52.29
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname domain\username
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn username@domain.net
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn username@domain.net
There are no other 325 events in the logs when attempting to authenticate to the web UI, etc.
We want to use ADFS with MFA to authenticate AutoDiscover access, so do not wish to bypass this.
Is it possible to modify the configuration of ADFS to allow this authentication attempt?
"CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity" when testing AutoDiscover for a EOP mailbox
