Invalid Audience URI - Microsoft.ActiveDirectoryFederationServices2012R2.TokenAcceptanceAudienceUriValidationFailedRule (Rule)

Microsoft.ActiveDirectoryFederationServices2012R2.TokenAcceptanceAudienceUriValidationFailedRule (Rule)

Knowledge Base article:

Summary

The Federation Service failed to accept the token because the audience URI that is specified in the token does not match acceptable identifiers of this Federation Service.

Causes

The specified audience identifier is not present in the acceptable identifiers list of this Federation Service.

Resolutions

See the exception details for the audience identifier that failed validation. If the audience identifier identifies this Federation Service, add the audience identifier to the acceptable identifiers list by using Windows PowerShell cmdlets for AD FS. You can configure the acceptable identifiers list by using the AcceptableIdentifier parameter on the Set-ADFSProperties cmdlet.

The audience identifier is used to verify whether the token was sent to this Federation Service. If you think that the audience identifier does not identify your Federation Service, adding it to the acceptable identifiers list might cause vulnerability in the security of your system.

Element properties:

Target

Microsoft.ActiveDirectoryFederationServices2012R2.TokenAcceptance

Category

ConfigurationHealth

Enabled

True

Event_ID

367

Alert Generate

True

Alert Severity

Warning

Alert Priority

Normal

Remotable

True

Alert Message

Invalid Audience URI

The audience URI that is specified in the token does not match acceptable identifiers of this Federation Service. Token acceptance failed. Check the Alert Context tab for more details.

Event Log

$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer"]/ADFSEventLog$

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.Windows.EventProvider	Default
Alert	WriteAction	System.Health.GenerateAlert	Default

Module Type

TypeId

RunAs

DataSource

Microsoft.Windows.EventProvider

Default

Alert

WriteAction

System.Health.GenerateAlert

Default

Source Code:

<Rule ID="Microsoft.ActiveDirectoryFederationServices2012R2.TokenAcceptanceAudienceUriValidationFailedRule" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices2012R2.TokenAcceptance" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100"> <Category>ConfigurationHealth</Category> <DataSources> <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider"> <ComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName> <LogName>$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer"]/ADFSEventLog$</LogName> <Expression> <And> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="UnsignedInteger">367</Value> </ValueExpression> </SimpleExpression> </Expression> <Expression> <RegExExpression> <ValueExpression> <XPathQuery Type="String">PublisherName</XPathQuery> </ValueExpression> <Operator>MatchesMOM2005RegularExpression</Operator> <Pattern>(^AD FS$)</Pattern> </RegExExpression> </Expression> </And> </Expression> </DataSource> </DataSources> <WriteActions> <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert"> <Priority>1</Priority> <Severity>1</Severity> <AlertOwner/> <AlertMessageId>$MPElement[Name="Microsoft.ActiveDirectoryFederationServices2012R2.TokenAcceptanceAudienceUriValidationFailedRule.AlertMessage"]$</AlertMessageId> <Suppression> <SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue> </Suppression> <Custom1/> <Custom2/> <Custom3/> <Custom4/> <Custom5/> <Custom6/> <Custom7/> <Custom8/> <Custom9/> <Custom10/> </WriteAction> </WriteActions> </Rule>