Symptoms

  • Token issuance fails

  • The following events are logged in the AD FS 2.0/Admin Event Log:

 

Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          2/14/2011 1:32:23 PM
Event ID:      323
Task Category: None
Level:         Error
Keywords:      AD FS
User:          NETWORK SERVICE
Computer:      ADFS2RSTS.treyresearch.net
Description:
The Federation Service could  not authorize token issuance for the caller '' on behalf of the subject 'adamcar@adatum.com
' to the relying party 'https://claimapp1.treyresearch.net'
. Please see event 501 with the same instance id for caller identity. Please see event 502 with the same instance id for OnBehalfOf identity, if any.

Additional Data
Instance id: 9ef56e0a-ce36-4fc2-be30-887f39d5f4e8
Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.OnBehalfOfAuthorizationException: MSIS5009: The impersonation authorization failed for caller identity  and delegate  for relying party trust https://claimapp1.treyresearch.net.
   at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)
User Action
Use Windows PowerShell comments for AD FS 2.0 to ensure that the caller is authorized on behalf of the subject to the relying party.

Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          2/14/2011 1:32:23 PM
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          NETWORK SERVICE
Computer:      ADFS2RSTS.treyresearch.net
Description:
Encountered error during federation passive request.

Additional Data

Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: MSIS3126: Access denied.
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolResponse(FederationPassiveContext federationPassiveContext)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

System.ServiceModel.FaultException: MSIS3126: Access denied.
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

 

Cause

  • The caller who is requesting the security token does not have the appropriate
    claims to be authorized for token issuance.

 

Resolution

  • If this is a delegation scenario, ensure that the caller's token contains the
    appropriate claims to allow for authorization to delegate.
  • If this is not a delegation scenario, ensure that the Active Directory Claims Provider (CP)
    Trust claim rules allow the AD FS service to request a token on behalf of the
    user. The default set of Acceptance Transform Rules allow this to succeed. If
    you have removed some or all of the default rules, see the following article for
    resolution:

AD FS 2.0 - How to restore the default Acceptance Transform Rules for the Active Directory Claims Provider Trust