ADFS Not allowing full Office365 - Intune login

Dave Herrell 1 Reputation point
2020-12-29T16:08:07.987+00:00

Hi everyone, having the oddest issue and have searched the webs to death with no luck.

We have an ADFS setup thats federated and connected to MS365. Zero issues with users using any of the MS356 applications, no issues signing into office.com direct.

The issue is with logins into Intune using the same credentials. Brand new VM or computer, choose login using Business credentials, I can sign in, its throws me to ADFS, back to laptop setup and starts the usual laptop setups perfect. However, once the laptop is rebooted or logged out, we're unable to log in, says username/password does is incorrect. Within the Intune and Azure portals the device/VM shows as registered and compliant. Nothing can be done but to reset the VM/Laptop to factory and try again.

Looking at this error from the ADFS side, each login is throwing the error in Events 325 and Event 1000:
The Federation Service could not authorize token issuance for caller ‘domain\user.name’
'. The caller is not authorized to request a token for the relying party 'urn:federation:MicrosoftOnline'. See event 501 with the same Instance ID for caller identity.

The access policy in ADFS for this RTP: "Microsoft Office 365..." is set to Permit Everyone . So it should pass the token just fine back.

Another thing that may help, If I test ADFS SSO via this link: https://testconnectivity.microsoft.com I does indeed throw and error: An error occurred while attempting to retrieve and analyze the security token. ADFS reports the exact same error above. Error 325

All ADFS certs are up-to-date, I've re-ran the Azure Sync and verified connectivity multiple times. Even deleted the RTP and had the Azure Sync tool rebuild it, same issues.

Again, zero issues with users signing into any of the Office 365 applications, Email, etc.. just this issue.

We are using DUO for our 2-factor solutions, Ive set this on bypass for testing as well with the same issue.

Thoughts?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,278 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. JoyDutt 826 Reputation points
    2020-12-29T16:25:37.417+00:00

    Hi @Dave Herrell

    In the Relying Party Trust (RPT) for this service provider (SP), take a look at the Issuance Authorization Rules tab. You'll need at least one rule to issue the claim type http://schemas.microsoft.com/authorization/claims/permit with a value of true and no claims issuing the claim type http://schemas.microsoft.com/authorization/claims/deny with a value of true, though technically I don't believe any value is needed for either. If all users are allowed to the front door of your SP, you can use the rule template under Add Rule called Permit All Users. (which you already have)

    Some inputs that may help from here Ref https://community.duo.com/t/implement-duo-to-adfs-3-0-question/1243/7

    (Please don’t forget to **"Accept the answer" & “up-vote” **, this can be beneficial to other members. Thank You)

    Regards,
    ** J.D. **

    0 comments No comments

  2. Dave Herrell 1 Reputation point
    2020-12-29T18:13:50.67+00:00

    Thanks, JD,

    I've seen the StackOverflow post with the same answer as well. We're running Server 2019 with ADFS 4.0 which automatically removes the Tab, we removed the RTP in order to gain back the Issuance Authorization Rules Tab to test that and it still throws the exact same issues.

    52038-screen-shot-2020-12-29-at-11128-pm.png

    I've tried added group rules, etc, but for whatever reason(s) this doesn't pass the security token back.


  3. Dave Herrell 1 Reputation point
    2021-01-04T16:33:35.7+00:00

    Hi @Pierre Audonnet - MSFT and thank you for replying , If you delete the MS365 RTP and use the Azure AD Connect to rebuild the RTP on ADFS, it places the older UI for "Issuance Authorization Rules" instead of the newer "Access Ui for Access Control Policy" is what I was talking about. I did this to make sure the Azure trust and ADFS was properly setup as a verification.

    As for the rules, here is everything setup on the RTP. Everything is default setup that the Azure AD Connect built from the practice mentioned above. No rules were added beyond this.

    Print out of request:

    Windows PowerShell  
    Copyright (C) Microsoft Corporation. All rights reserved.  
      
    PS C:\Windows\system32> Get-AdfsRelyingPartyTrust -Identifier "urn:federation:MicrosoftOnline"  
      
      
    AllowedAuthenticationClassReferences : {}  
    EncryptionCertificateRevocationCheck : CheckChainExcludeRoot  
    PublishedThroughProxy                : False  
    SigningCertificateRevocationCheck    : CheckChainExcludeRoot  
    WSFedEndpoint                        : https://login.microsoftonline.com/login.srf  
    AdditionalWSFedEndpoint              : {}  
    ClaimsProviderName                   : {}  
    ClaimsAccepted                       : {}  
    EncryptClaims                        : True  
    Enabled                              : True  
    EncryptionCertificate                :  
    Identifier                           : {https://login.microsoftonline.com/extSTS.srf, urn:federation:MicrosoftOnline}  
    NotBeforeSkew                        : 0  
    EnableJWT                            : False  
    AlwaysRequireAuthentication          : False  
    Notes                                :  
    OrganizationInfo                     :  
    ObjectIdentifier                     : 1fe839e0-204a-eb11-865e-0689e582178b  
    ProxyEndpointMappings                : {}  
    ProxyTrustedEndpoints                : {}  
    ProtocolProfile                      : WsFed-SAML  
    RequestSigningCertificate            : {}  
    EncryptedNameIdRequired              : False  
    SignedSamlRequestsRequired           : False  
    SamlEndpoints                        : {}  
    SamlResponseSignature                : AssertionOnly  
    SignatureAlgorithm                   : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256  
    TokenLifetime                        : 0  
    AllowedClientTypes                   : Public, Confidential  
    IssueOAuthRefreshTokensTo            : AllDevices  
    RefreshTokenProtectionEnabled        : True  
    RequestMFAFromClaimsProviders        : False  
    ScopeGroupId                         :  
    ScopeGroupIdentifier                 :  
    DeviceAuthenticationMethod           :  
    Name                                 : Microsoft Office 365 Identity Platform Worldwide  
    AutoUpdateEnabled                    : False  
    MonitoringEnabled                    : True  
    MetadataUrl                          : https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadat  
                                           a.xml  
    ConflictWithPublishedPolicy          : False  
    IssuanceAuthorizationRules           : @RuleTemplate = "AllowAllAuthzRule"  
                                            => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",  
                                           Value = "true");  
      
      
    IssuanceTransformRules               : @RuleName = "Issue UPN"  
                                           c:[Type ==  
                                           "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]  
                                            => issue(store = "Active Directory", types =  
                                           ("http://schemas.xmlsoap.org/claims/UPN"), query =  
                                           "samAccountName={0};mail;{1}", param = regexreplace(c.Value,  
                                           "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);  
      
                                           @RuleName = "Issue Immutable ID"  
                                           c:[Type ==  
                                           "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]  
                                            => issue(store = "Active Directory", types =  
                                           ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query =  
                                           "samAccountName={0};objectGUID;{1}", param = regexreplace(c.Value,  
                                           "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);  
      
                                           @RuleName = "Issue nameidentifier"  
                                           c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"]  
                                            => issue(Type =  
                                           "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value =  
                                           c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimpropert  
                                           ies/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");  
      
                                           @RuleName = "Issue accounttype for domain-joined computers"  
                                           c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",  
                                           Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]  
                                            => issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =  
                                           "DJ");  
      
                                           @RuleName = "Issue AccountType with the value USER when it is not a computer  
                                           account"  
                                           NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",  
                                           Value == "DJ"])  
                                            => add(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =  
                                           "User");  
      
                                          @RuleName = "Issue issuerid when it is not a computer account"  
                                           c1:[Type == "http://schemas.xmlsoap.org/claims/UPN"]  
                                            && c2:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value ==  
                                           "User"]  
                                            => issue(Type =  
                                           "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value =  
                                           regexreplace(c1.Value, "(?i)(^([^@]+)@)(partners\.)*(?<domain>((?<=partners\.)XXXX\.com|XXXX\.com))$", "http://${domain}/adfs/services/trust/"));  
      
                                           @RuleName = "Issue issuerid for DJ computer auth"  
                                           c1:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value ==  
                                           "DJ"]  
                                            => issue(Type =  
                                           "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value =  
                                           "http://XXXX.com/adfs/services/trust/");  
      
                                           @RuleName = "Issue onpremobjectguid for domain-joined computers"  
                                           c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",  
                                           Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]  
                                            && c2:[Type ==  
                                           "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",  
                                           Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]  
                                            => issue(store = "Active Directory", types =  
                                           ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), query =  
                                           ";objectguid;{0}", param = c2.Value);  
      
                                           @RuleName = "Pass through primary SID"  
                                           c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",  
                                           Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]  
                                            && c2:[Type ==  
                                           "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Issuer =~  
                                           "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]  
                                            => issue(claim = c2);  
      
                                           @RuleName = "Pass through claim - insideCorporateNetwork"  
                                           c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"]  
                                            => issue(claim = c);  
      
                                           @RuleName = "Pass Through Claim - Psso"  
                                           c:[Type == "http://schemas.microsoft.com/2014/03/psso"]  
                                            => issue(claim = c);  
      
                                           @RuleName = "Issue Password Expiry Claims"  
                                           c1:[Type == "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"]  
                                            => issue(store = "_PasswordExpiryStore", types =  
                                           ("http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime",  
                                           "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays",  
                                           "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"), query = "{0};",  
                                           param = c1.Value);  
      
                                           @RuleName = "Pass Through Claim - AlternateLoginID"  
                                           c:[Type == "http://schemas.microsoft.com/ws/2013/11/alternateloginid"]  
                                            => issue(claim = c);  
      
                                           @RuleName = "Pass through claim - authnmethodsreferences"  
                                           c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences"]  
                                            => issue(claim = c);  
      
                                           @RuleName = "Pass through claim - multifactorauthenticationinstant"  
                                           c:[Type == "http://schemas.microsoft.com/ws/2017/04/identity/claims/multifactora  
                                           uthenticationinstant"]  
                                            => issue(claim = c);  
      
                                           @RuleName = "Pass through claim - certificate authentication - serial number"  
                                           c:[Type ==  
                                           "http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber"]  
                                            => issue(claim = c);  
      
                                           @RuleName = "Pass through claim - certificate authentication - issuer"  
                                           c:[Type ==  
                                           "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer"]  
                                            => issue(claim = c);  
      
      
    DelegationAuthorizationRules         :  
    LastPublishedPolicyCheckSuccessful   : True  
    LastUpdateTime                       : 12/30/2020 12:15:48 AM  
    LastMonitoredTime                    : 1/4/2021 12:16:25 AM  
    ImpersonationAuthorizationRules      :  
    AdditionalAuthenticationRules        :  
    AccessControlPolicyName              :  
    AccessControlPolicyParameters        :  
    ResultantPolicy                      :  
      
      
      
    PS C:\Windows\system32>  
    

  4. Dave Herrell 1 Reputation point
    2021-01-06T14:24:15.307+00:00

    Hi @Pierre Audonnet - MSFT ,

    Same issue after reset things and 2 complete reboots of the ADFS farm. Here are the 501 errors I'm seeing, obv there's quite a few since the user is in a lot of groups (me):

    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name   
    DOMANIN\XXXX   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid   
    S-1-5-21-288254211-2898031401-xxx   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid   
    S-1-5-21-288254211-2898031401-xxx   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-x xx  
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-1-0   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-32-xxx  
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-32-xxx   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-32-xxx   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-2   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-11  
      
    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-15   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10688   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-5751   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10724   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10740   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-2449   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-5924   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-2625   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10736   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7671  
      
    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-8024   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10681   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10738   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-2228   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-11637   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10795   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1104   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10803   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1413   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7887  
      
    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-2751   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-3565   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10713   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10723   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1422   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-11126   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7841   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7707   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7874   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10739  
      
    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-8131   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10865   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10720   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10664   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-8049   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-6110   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1108   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10727   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10792   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-2353  
      
    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10700   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7993   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10804   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10685   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10728   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1113   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-5706   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-8030   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-2784   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10741  
      
    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1439   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1107   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10731   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-5602   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10116   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-5705   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1105   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-2652   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10665   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-6126  
      
    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10775   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-8079   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10632   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7909   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7919   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1106   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7990   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-2304   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1223   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10806  
      
    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1412   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7613   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-8008   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10726   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7908   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-8135   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-8083   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-5863   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10729   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10714  
      
    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10867   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-5704   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-8611   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-5865   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-512   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10777   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-2786   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-11141   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-11615   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-5864  
      
      
    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-8051   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-8031   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10732   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1139   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7885   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1489   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-5776   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10891   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1433   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7812  
      
      
    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10666   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-5755   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1418   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-11612   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-1483   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-8050   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-5146   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10838   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7953   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10895  
      
    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-10609   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-518   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-519   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-18-1   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-7636   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid   
    S-1-5-21-288254211-2898031401-238993119-571   
    http://schemas.microsoft.com/ws/2014/01/identity/claims/accountstore   
    AD AUTHORITY   
    http://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname   
    http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime   
    2021-03-xxx  
    http://schemas.microsoft.com/ws/2013/11/alternateloginid   
    user.name@XXXX.com  
      
    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod   
    http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password   
    http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant   
    2020-12-28T20:08:00.590Z   
    http://schemas.microsoft.com/claims/authnmethodsproviders   
    FormsAuthentication   
    http://schemas.microsoft.com/ws/2017/04/identity/claims/accountthrottled   
    false   
    http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path   
    /adfs/services/trust/2005/usernamemixed   
    http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork   
    true   
    http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id   
    f1b6e89c-f5cf-403b-bc6e-2262c88394d8   
    http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip   
    168.61.XXX.XXX   
    http://schemas.microsoft.com/2014/09/requestcontext/claims/userip   
    168.61.XXX.XXX  
    http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname   
    DOMAIN\XXXXX  
      
    More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information.   
      
    Instance ID:   
    2681fa01-1ef5-4eb2-aec9-b79545fba569   
       
    Caller identity:   
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn   
    user.name@domain.com   
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn   
    user.name@domain.local   
    

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.