Token issuance fails
The following events are logged in the AD FS 2.0/Admin Event Log:
Log Name: AD FS 2.0/Admin Source: AD FS 2.0 Date: 2/14/2011 1:32:23 PM Event ID: 323 Task Category: None Level: Error Keywords: AD FS User: NETWORK SERVICE Computer: ADFS2RSTS.treyresearch.net Description: The Federation Service could not authorize token issuance for the caller '' on behalf of the subject 'adamcar@adatum.com ' to the relying party 'https://claimapp1.treyresearch.net'. Please see event 501 with the same instance id for caller identity. Please see event 502 with the same instance id for OnBehalfOf identity, if any.
Additional Data Instance id: 9ef56e0a-ce36-4fc2-be30-887f39d5f4e8 Exception details: Microsoft.IdentityServer.Service.IssuancePipeline.OnBehalfOfAuthorizationException: MSIS5009: The impersonation authorization failed for caller identity and delegate for relying party trust https://claimapp1.treyresearch.net. at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace) User Action Use Windows PowerShell comments for AD FS 2.0 to ensure that the caller is authorized on behalf of the subject to the relying party.
Log Name: AD FS 2.0/Admin Source: AD FS 2.0 Date: 2/14/2011 1:32:23 PM Event ID: 364 Task Category: None Level: Error Keywords: AD FS User: NETWORK SERVICE Computer: ADFS2RSTS.treyresearch.net Description: Encountered error during federation passive request.
Additional Data
Exception details: Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: MSIS3126: Access denied. at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData) at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData) at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request) --- End of inner exception stack trace --- at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request) at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo) at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session) at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage) at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolResponse(FederationPassiveContext federationPassiveContext) at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)
System.ServiceModel.FaultException: MSIS3126: Access denied. at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData) at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData) at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
AD FS 2.0 - How to restore the default Acceptance Transform Rules for the Active Directory Claims Provider Trust
Maheshkumar S Tiwari edited Revision 4. Comment: Added Tag
Ed Price MSFT edited Revision 2. Comment: Updated title case and format.