Home
  •  

Caller Authorization Error

Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuanceCallerAuthorizationErrorRule (Rule)

Knowledge Base article:

Summary

The Federation Service could not authorize token issuance for caller to the relying party.

Causes

The caller is not authorized to request a token for the relying party.

Generally, this event might indicate that a claims authorization rule in the claims policy for this relying party trust is not operating as intended.

Resolutions

Use the AD FS snap-in to ensure that the caller is authorized to request a token for the relying party. Specifically, you can review issuance policy for this trust by following these steps in the snap-in.

1. In the console tree, navigate to the Relying Party Trusts node (under AD FS\Trust Relationships).

2. In the details pane, select the relying party trust that is specified in the message text for this event.

3. On the Action menu, click Edit Claim Rules.

4. Click the Issuance Authorization Rules tab.

Review the contents of this tab to troubleshoot the authorization issue. Add or update the issuance policy as appropriate to authorize the caller that is specified in the event text.

Verify that the claims authorization rules for this relying party trust are configured as intended. For more information, see When to Use a Claims Authorization Rule.

Element properties:

TargetMicrosoft.ActiveDirectoryFederationServices.2016.TokenIssuance
CategoryConfigurationHealth
EnabledFalse
Event_ID325
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
Caller Authorization Error
The Federation Service could not authorize token issuance for caller '{0}' to the relying party '{1}'.
Event Log$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Alert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuanceCallerAuthorizationErrorRule" Enabled="false" Target="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuance" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>ConfigurationHealth</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">325</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>MatchesMOM2005RegularExpression</Operator>

              <Pattern>(^AD FS$)</Pattern>

            </RegExExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertOwner/>

      <AlertMessageId>$MPElement[Name="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuanceCallerAuthorizationErrorRule.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/Params/Param[2]$</AlertParameter1>

        <AlertParameter2>$Data/Params/Param[3]$</AlertParameter2>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/Params/Param[2]$</SuppressionValue>

        <SuppressionValue>$Data/Params/Param[3]$</SuppressionValue>

      </Suppression>

      <Custom1/>

      <Custom2/>

      <Custom3/>

      <Custom4/>

      <Custom5/>

      <Custom6/>

      <Custom7/>

      <Custom8/>

      <Custom9/>

      <Custom10/>

    </WriteAction>

  </WriteActions>

</Rule>