The Federation Service could not authorize token issuance for caller to the relying party.
The caller is not authorized to request a token for the relying party.
Generally, this event might indicate that a claims authorization rule in the claims policy for this relying party trust is not operating as intended.
Use the AD FS snap-in to ensure that the caller is authorized to request a token for the relying party. Specifically, you can review issuance policy for this trust by following these steps in the snap-in.
1. In the console tree, navigate to the Relying Party Trusts node (under AD FS\Trust Relationships).
2. In the details pane, select the relying party trust that is specified in the message text for this event.
3. On the Action menu, click Edit Claim Rules.
4. Click the Issuance Authorization Rules tab.
Review the contents of this tab to troubleshoot the authorization issue. Add or update the issuance policy as appropriate to authorize the caller that is specified in the event text.
Verify that the claims authorization rules for this relying party trust are configured as intended. For more information, see When to Use a Claims Authorization Rule.
Target | Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuance | ||
Category | ConfigurationHealth | ||
Enabled | False | ||
Event_ID | 325 | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | $Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$ |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.EventProvider | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuanceCallerAuthorizationErrorRule" Enabled="false" Target="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuance" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>ConfigurationHealth</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">325</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>MatchesMOM2005RegularExpression</Operator>
<Pattern>(^AD FS$)</Pattern>
</RegExExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuanceCallerAuthorizationErrorRule.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/Params/Param[2]$</AlertParameter1>
<AlertParameter2>$Data/Params/Param[3]$</AlertParameter2>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/Params/Param[2]$</SuppressionValue>
<SuppressionValue>$Data/Params/Param[3]$</SuppressionValue>
</Suppression>
<Custom1/>
<Custom2/>
<Custom3/>
<Custom4/>
<Custom5/>
<Custom6/>
<Custom7/>
<Custom8/>
<Custom9/>
<Custom10/>
</WriteAction>
</WriteActions>
</Rule>