Home
  •  

Act As Authorization Error

Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuanceActAsAuthorizationErrorRule (Rule)

Knowledge Base article:

Summary

Token issuance failed because the caller is not authorized to request the token as another subject to the relying party.

Causes

The specified caller is not authorized to act as the subject for this relying party

For more information about the cause of this event, see Event 501 and Event 503 with the same instance ID for the caller identity and the ActAs identity (if any).

Generally, this event might indicate that a claims authorization rule in the claims policy for this relying party trust is not operating as intended.

Resolutions

Use the AD FS snap-in to ensure that the caller is authorized to act as the subject to the relying party. Specifically, you can review delegation policy for this trust by following these steps in the snap-in.

1. In the console tree, navigate to the Relying Party Trusts node (under AD FS\Trust Relationships).

2. In the details pane, select the relying party trust that is specified in the message text for this event.

3. On the Action menu, click Edit Claim Rules.

4. Click the Delegation Authorization Rules tab.

Review the contents of this tab to troubleshoot the authorization issue. Add or update the delegation policy as appropriate to authorize the caller that is specified in the event text.

Verify that the claims authorization rules for this relying party trust are configured as intended. For more information, see When to Use a Claims Authorization Rule

Element properties:

TargetMicrosoft.ActiveDirectoryFederationServices2012R2.TokenIssuance
CategoryConfigurationHealth
EnabledFalse
Event_ID302
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
RemotableTrue
Alert Message
Act As Authorization Error
Token issuance failed for the caller '{0}'as subject '{1}' to the relying party trust '{2}'
Event Log$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer"]/ADFSEventLog$

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Alert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuanceActAsAuthorizationErrorRule" Enabled="false" Target="Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuance" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>ConfigurationHealth</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer"]/ADFSEventLog$</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">302</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>MatchesMOM2005RegularExpression</Operator>

              <Pattern>(^AD FS$)</Pattern>

            </RegExExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>1</Severity>

      <AlertOwner/>

      <AlertMessageId>$MPElement[Name="Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuanceActAsAuthorizationErrorRule.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/Params/Param[2]$</AlertParameter1>

        <AlertParameter2>$Data/Params/Param[3]$</AlertParameter2>

        <AlertParameter3>$Data/Params/Param[4]$</AlertParameter3>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/Params/Param[2]$</SuppressionValue>

        <SuppressionValue>$Data/Params/Param[3]$</SuppressionValue>

        <SuppressionValue>$Data/Params/Param[4]$</SuppressionValue>

      </Suppression>

      <Custom1/>

      <Custom2/>

      <Custom3/>

      <Custom4/>

      <Custom5/>

      <Custom6/>

      <Custom7/>

      <Custom8/>

      <Custom9/>

      <Custom10/>

    </WriteAction>

  </WriteActions>

</Rule>