Token issuance failed because the caller is not authorized to request the token as another subject to the relying party.
The specified caller is not authorized to act as the subject for this relying party
For more information about the cause of this event, see Event 501 and Event 503 with the same instance ID for the caller identity and the ActAs identity (if any).
Generally, this event might indicate that a claims authorization rule in the claims policy for this relying party trust is not operating as intended.
Use the AD FS snap-in to ensure that the caller is authorized to act as the subject to the relying party. Specifically, you can review delegation policy for this trust by following these steps in the snap-in.
1. In the console tree, navigate to the Relying Party Trusts node (under AD FS\Trust Relationships).
2. In the details pane, select the relying party trust that is specified in the message text for this event.
3. On the Action menu, click Edit Claim Rules.
4. Click the Delegation Authorization Rules tab.
Review the contents of this tab to troubleshoot the authorization issue. Add or update the delegation policy as appropriate to authorize the caller that is specified in the event text.
Verify that the claims authorization rules for this relying party trust are configured as intended. For more information, see When to Use a Claims Authorization Rule
Target | Microsoft.ActiveDirectoryFederationServices20.TokenIssuance | ||
Category | ConfigurationHealth | ||
Enabled | False | ||
Event_ID | 302 | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | $Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices20.FederationServer"]/ADFSEventLog$ |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.EventProvider | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.ActiveDirectoryFederationServices20.TokenIssuanceActAsAuthorizationErrorRule" Enabled="false" Target="Microsoft.ActiveDirectoryFederationServices20.TokenIssuance" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>ConfigurationHealth</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices20.FederationServer"]/ADFSEventLog$</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">302</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>MatchesMOM2005RegularExpression</Operator>
<Pattern>(^AD FS$)|(^AD FS 2.0$)</Pattern>
</RegExExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.ActiveDirectoryFederationServices20.TokenIssuanceActAsAuthorizationErrorRule.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/Params/Param[2]$</AlertParameter1>
<AlertParameter2>$Data/Params/Param[3]$</AlertParameter2>
<AlertParameter3>$Data/Params/Param[4]$</AlertParameter3>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/Params/Param[2]$</SuppressionValue>
<SuppressionValue>$Data/Params/Param[3]$</SuppressionValue>
<SuppressionValue>$Data/Params/Param[4]$</SuppressionValue>
</Suppression>
<Custom1/>
<Custom2/>
<Custom3/>
<Custom4/>
<Custom5/>
<Custom6/>
<Custom7/>
<Custom8/>
<Custom9/>
<Custom10/>
</WriteAction>
</WriteActions>
</Rule>