Home
  •  

On Behalf Of Authorization Error

Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuanceOnBehalfOfAuthorizationErrorRule (Rule)

Knowledge Base article:

Summary

The Federation Service could not authorize token issuance for the caller on behalf of the subject to the relying party.

Causes

The specified caller is not authorized to act on behalf of the subject of this relying party

For more information about the specific cause of this event, see Event 501 and Event 502 with the same instance ID for the caller identity and the OnBehalfOf identity (if any).

Generally, this event might indicate that a claims authorization rule in the claims policy for this relying party trust is not operating as intended.

Resolutions

Use the AD FS snap-in to ensure that the caller is authorized to act on behalf of the subject to the relying party.

First, verify that the claims authorization rules for this relying party trust are configured as intended. For more information, see When to Use a Claims Authorization Rule.

If you have to update impersonation authorization policy for this relying party trust, you can use the Windows PowerShell cmdlets for AD FS. Specifically, you can view and set impersonation authorization rules policy as part of the ImpersonationAuthorizationRules property. To read this property, use the Get-ADFSRelyingPartyTrust cmdlet. To modify this property, use the Set-ADFSRelyingPartyTrust cmdlet.

Element properties:

TargetMicrosoft.ActiveDirectoryFederationServices.2016.TokenIssuance
CategoryConfigurationHealth
EnabledFalse
Event_ID323
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
RemotableTrue
Alert Message
On Behalf Of Authorization Error
The Federation Service could not authorize token issuance for the caller '{0}' on behalf of the subject '{1}' to the relying party '{2}'.
Event Log$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Alert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuanceOnBehalfOfAuthorizationErrorRule" Enabled="false" Target="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuance" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>ConfigurationHealth</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">323</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>MatchesMOM2005RegularExpression</Operator>

              <Pattern>(^AD FS$)</Pattern>

            </RegExExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>1</Severity>

      <AlertName/>

      <AlertDescription/>

      <AlertOwner/>

      <AlertMessageId>$MPElement[Name="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuanceOnBehalfOfAuthorizationErrorRule.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/Params/Param[2]$</AlertParameter1>

        <AlertParameter2>$Data/Params/Param[3]$</AlertParameter2>

        <AlertParameter3>$Data/Params/Param[4]$</AlertParameter3>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/Params/Param[2]$</SuppressionValue>

        <SuppressionValue>$Data/Params/Param[3]$</SuppressionValue>

        <SuppressionValue>$Data/Params/Param[4]$</SuppressionValue>

      </Suppression>

      <Custom1/>

      <Custom2/>

      <Custom3/>

      <Custom4/>

      <Custom5/>

      <Custom6/>

      <Custom7/>

      <Custom8/>

      <Custom9/>

      <Custom10/>

    </WriteAction>

  </WriteActions>

</Rule>