locked
ADFS Event 325 RRS feed

  • Question

  • Hi,

    When trying to restrict ADFS Relying party trust to specific AD groups via 'Edit Claim Rules' I get the following ADFS error 325 (picture 1)


    Some users added to the same AD distribution group have no problems logging in. Anyone has seen this error before and could shed some light ?


    MK

    Thursday, February 23, 2017 4:42 PM

Answers

  • Thank you, I believe it helped. Another thing I was doing wrong is allowing Distribution groups rather than Security groups. It only works with Security groups as I figured out.
    Thursday, March 9, 2017 2:55 PM

All replies

  • It looks like you have an Issuance Authorization rule on your relying party trust preventing this user to connect. Can you have a look at the GUI and tell us what you have in the Authorization tab (right click edit claim rules on the relying party trust).

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, February 23, 2017 5:39 PM
  • hi,

    That's correct I have configured Issuance Authorization rule to prevent everyone to login allowing only certain Distribution Group via Group SID. Is that not a correct way to do it ? Please see screenshot below :


    MK

    Friday, February 24, 2017 10:58 AM
  • Anyone has a suggestion ?

    MK

    Wednesday, March 1, 2017 11:28 AM
  • Could you describe data of what type are in that "caller" field? Is it username or what?

    https://exchange12rocks.org | https://about.me/exchange12rocks

    Thursday, March 2, 2017 9:21 PM
  • hi,

    That is right. That is a user logon name.


    MK

    Monday, March 6, 2017 2:06 PM
  • I think you need a "Send LDAP Attributes as Cliams" to get the Group SID and place it before your current rule.
    Thursday, March 9, 2017 4:48 AM
  • Thank you, I believe it helped. Another thing I was doing wrong is allowing Distribution groups rather than Security groups. It only works with Security groups as I figured out.
    Thursday, March 9, 2017 2:55 PM
  • Correct. Thanks for sharing!

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, March 12, 2017 9:28 PM