question

davetech2020-1942 avatar image
0 Votes"
davetech2020-1942 asked BrianWilson-5980 commented

ADFS Not allowing full Office365 - Intune login

Hi everyone, having the oddest issue and have searched the webs to death with no luck.

We have an ADFS setup thats federated and connected to MS365. Zero issues with users using any of the MS356 applications, no issues signing into office.com direct.

The issue is with logins into Intune using the same credentials. Brand new VM or computer, choose login using Business credentials, I can sign in, its throws me to ADFS, back to laptop setup and starts the usual laptop setups perfect. However, once the laptop is rebooted or logged out, we're unable to log in, says username/password does is incorrect. Within the Intune and Azure portals the device/VM shows as registered and compliant. Nothing can be done but to reset the VM/Laptop to factory and try again.

Looking at this error from the ADFS side, each login is throwing the error in Events 325 and Event 1000:
The Federation Service could not authorize token issuance for caller ‘domain\user.name’
'. The caller is not authorized to request a token for the relying party 'urn:federation:MicrosoftOnline'. See event 501 with the same Instance ID for caller identity.

The access policy in ADFS for this RTP: "Microsoft Office 365..." is set to Permit Everyone . So it should pass the token just fine back.

Another thing that may help, If I test ADFS SSO via this link: https://testconnectivity.microsoft.com I does indeed throw and error: An error occurred while attempting to retrieve and analyze the security token. ADFS reports the exact same error above. Error 325

All ADFS certs are up-to-date, I've re-ran the Azure Sync and verified connectivity multiple times. Even deleted the RTP and had the Azure Sync tool rebuild it, same issues.

Again, zero issues with users signing into any of the Office 365 applications, Email, etc.. just this issue.

We are using DUO for our 2-factor solutions, Ive set this on bypass for testing as well with the same issue.

Thoughts?



adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoydeepDutt-2506 avatar image
0 Votes"
JoydeepDutt-2506 answered

Hi @davetech2020-1942

In the Relying Party Trust (RPT) for this service provider (SP), take a look at the Issuance Authorization Rules tab. You'll need at least one rule to issue the claim type http://schemas.microsoft.com/authorization/claims/permit with a value of true and no claims issuing the claim type http://schemas.microsoft.com/authorization/claims/deny with a value of true, though technically I don't believe any value is needed for either. If all users are allowed to the front door of your SP, you can use the rule template under Add Rule called Permit All Users. (which you already have)

Some inputs that may help from here Ref https://community.duo.com/t/implement-duo-to-adfs-3-0-question/1243/7



(Please don’t forget to "Accept the answer" & “up-vote” , this can be beneficial to other members. Thank You)

Regards,
J.D.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

davetech2020-1942 avatar image
0 Votes"
davetech2020-1942 answered piaudonn edited

Thanks, JD,

I've seen the StackOverflow post with the same answer as well. We're running Server 2019 with ADFS 4.0 which automatically removes the Tab, we removed the RTP in order to gain back the Issuance Authorization Rules Tab to test that and it still throws the exact same issues.

52038-screen-shot-2020-12-29-at-11128-pm.png




I've tried added group rules, etc, but for whatever reason(s) this doesn't pass the security token back.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Not sure what you mean by "we removed the RTP in order to gain back the Issuance Authorization Rules Tab". Since ADFS on Windows Server 2016, Issuance Authotorization Rules have been replaced with Acces Control Policies. Hence the GUI was adapte and there is no separate tab. You need to click on the Edit Access Control Policy link in the GUI. That said, since you created the RP programatically (I imagine) it will not display an actual Access Control Policy but an issuance authorization rules editor (like in the old days). So you do not need to delete anything to see stuff. What have you actually done then?

Anyhow, share all the rules you have with us here. There are more than authorization rules when you use MFA, there are what's called "additional authorization rules". Which will not show in this tab (only in the PowerShell output).

 Get-ADFSRelyingPartyTrust


0 Votes 0 ·
davetech2020-1942 avatar image
0 Votes"
davetech2020-1942 answered piaudonn commented

Hi @piaudonn and thank you for replying , If you delete the MS365 RTP and use the Azure AD Connect to rebuild the RTP on ADFS, it places the older UI for "Issuance Authorization Rules" instead of the newer "Access Ui for Access Control Policy" is what I was talking about. I did this to make sure the Azure trust and ADFS was properly setup as a verification.

As for the rules, here is everything setup on the RTP. Everything is default setup that the Azure AD Connect built from the practice mentioned above. No rules were added beyond this.

Print out of request:

 Windows PowerShell
 Copyright (C) Microsoft Corporation. All rights reserved.
    
 PS C:\Windows\system32> Get-AdfsRelyingPartyTrust -Identifier "urn:federation:MicrosoftOnline"
    
    
 AllowedAuthenticationClassReferences : {}
 EncryptionCertificateRevocationCheck : CheckChainExcludeRoot
 PublishedThroughProxy                : False
 SigningCertificateRevocationCheck    : CheckChainExcludeRoot
 WSFedEndpoint                        : https://login.microsoftonline.com/login.srf
 AdditionalWSFedEndpoint              : {}
 ClaimsProviderName                   : {}
 ClaimsAccepted                       : {}
 EncryptClaims                        : True
 Enabled                              : True
 EncryptionCertificate                :
 Identifier                           : {https://login.microsoftonline.com/extSTS.srf, urn:federation:MicrosoftOnline}
 NotBeforeSkew                        : 0
 EnableJWT                            : False
 AlwaysRequireAuthentication          : False
 Notes                                :
 OrganizationInfo                     :
 ObjectIdentifier                     : 1fe839e0-204a-eb11-865e-0689e582178b
 ProxyEndpointMappings                : {}
 ProxyTrustedEndpoints                : {}
 ProtocolProfile                      : WsFed-SAML
 RequestSigningCertificate            : {}
 EncryptedNameIdRequired              : False
 SignedSamlRequestsRequired           : False
 SamlEndpoints                        : {}
 SamlResponseSignature                : AssertionOnly
 SignatureAlgorithm                   : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
 TokenLifetime                        : 0
 AllowedClientTypes                   : Public, Confidential
 IssueOAuthRefreshTokensTo            : AllDevices
 RefreshTokenProtectionEnabled        : True
 RequestMFAFromClaimsProviders        : False
 ScopeGroupId                         :
 ScopeGroupIdentifier                 :
 DeviceAuthenticationMethod           :
 Name                                 : Microsoft Office 365 Identity Platform Worldwide
 AutoUpdateEnabled                    : False
 MonitoringEnabled                    : True
 MetadataUrl                          : https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadat
                                        a.xml
 ConflictWithPublishedPolicy          : False
 IssuanceAuthorizationRules           : @RuleTemplate = "AllowAllAuthzRule"
                                         => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
                                        Value = "true");
    
    
 IssuanceTransformRules               : @RuleName = "Issue UPN"
                                        c:[Type ==
                                        "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
                                         => issue(store = "Active Directory", types =
                                        ("http://schemas.xmlsoap.org/claims/UPN"), query =
                                        "samAccountName={0};mail;{1}", param = regexreplace(c.Value,
                                        "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
    
                                        @RuleName = "Issue Immutable ID"
                                        c:[Type ==
                                        "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
                                         => issue(store = "Active Directory", types =
                                        ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query =
                                        "samAccountName={0};objectGUID;{1}", param = regexreplace(c.Value,
                                        "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
    
                                        @RuleName = "Issue nameidentifier"
                                        c:[Type == "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"]
                                         => issue(Type =
                                        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value =
                                        c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimpropert
                                        ies/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
    
                                        @RuleName = "Issue accounttype for domain-joined computers"
                                        c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
                                        Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
                                         => issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =
                                        "DJ");
    
                                        @RuleName = "Issue AccountType with the value USER when it is not a computer
                                        account"
                                        NOT EXISTS([Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
                                        Value == "DJ"])
                                         => add(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =
                                        "User");
    
                                       @RuleName = "Issue issuerid when it is not a computer account"
                                        c1:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
                                         && c2:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value ==
                                        "User"]
                                         => issue(Type =
                                        "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value =
                                        regexreplace(c1.Value, "(?i)(^([^@]+)@)(partners\.)*(?<domain>((?<=partners\.)XXXX\.com|XXXX\.com))$", "http://${domain}/adfs/services/trust/"));
    
                                        @RuleName = "Issue issuerid for DJ computer auth"
                                        c1:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value ==
                                        "DJ"]
                                         => issue(Type =
                                        "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value =
                                        "http://XXXX.com/adfs/services/trust/");
    
                                        @RuleName = "Issue onpremobjectguid for domain-joined computers"
                                        c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
                                        Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
                                         && c2:[Type ==
                                        "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
                                        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
                                         => issue(store = "Active Directory", types =
                                        ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), query =
                                        ";objectguid;{0}", param = c2.Value);
    
                                        @RuleName = "Pass through primary SID"
                                        c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
                                        Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
                                         && c2:[Type ==
                                        "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Issuer =~
                                        "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
                                         => issue(claim = c2);
    
                                        @RuleName = "Pass through claim - insideCorporateNetwork"
                                        c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"]
                                         => issue(claim = c);
    
                                        @RuleName = "Pass Through Claim - Psso"
                                        c:[Type == "http://schemas.microsoft.com/2014/03/psso"]
                                         => issue(claim = c);
    
                                        @RuleName = "Issue Password Expiry Claims"
                                        c1:[Type == "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"]
                                         => issue(store = "_PasswordExpiryStore", types =
                                        ("http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime",
                                        "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays",
                                        "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"), query = "{0};",
                                        param = c1.Value);
    
                                        @RuleName = "Pass Through Claim - AlternateLoginID"
                                        c:[Type == "http://schemas.microsoft.com/ws/2013/11/alternateloginid"]
                                         => issue(claim = c);
    
                                        @RuleName = "Pass through claim - authnmethodsreferences"
                                        c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences"]
                                         => issue(claim = c);
    
                                        @RuleName = "Pass through claim - multifactorauthenticationinstant"
                                        c:[Type == "http://schemas.microsoft.com/ws/2017/04/identity/claims/multifactora
                                        uthenticationinstant"]
                                         => issue(claim = c);
    
                                        @RuleName = "Pass through claim - certificate authentication - serial number"
                                        c:[Type ==
                                        "http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber"]
                                         => issue(claim = c);
    
                                        @RuleName = "Pass through claim - certificate authentication - issuer"
                                        c:[Type ==
                                        "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer"]
                                         => issue(claim = c);
    
    
 DelegationAuthorizationRules         :
 LastPublishedPolicyCheckSuccessful   : True
 LastUpdateTime                       : 12/30/2020 12:15:48 AM
 LastMonitoredTime                    : 1/4/2021 12:16:25 AM
 ImpersonationAuthorizationRules      :
 AdditionalAuthenticationRules        :
 AccessControlPolicyName              :
 AccessControlPolicyParameters        :
 ResultantPolicy                      :
    
    
    
 PS C:\Windows\system32>


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

With empty AdditionalAuthenticationRules and you current IssuanceAuthorizationRules that should work just fine. Have you tried again since you reseted the RP? What are the events 501 in the security logs are saying? (you need to make sure the audit is enabled to see them)


0 Votes 0 ·
davetech2020-1942 avatar image
0 Votes"
davetech2020-1942 answered BrianWilson-5980 commented

Hi @piaudonn,

Same issue after reset things and 2 complete reboots of the ADFS farm. Here are the 501 errors I'm seeing, obv there's quite a few since the user is in a lot of groups (me):

 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name 
 DOMANIN\XXXX 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid 
 S-1-5-21-288254211-2898031401-xxx 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid 
 S-1-5-21-288254211-2898031401-xxx 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-x xx
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-1-0 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-32-xxx
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-32-xxx 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-32-xxx 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-2 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-11
    
 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-15 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10688 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-5751 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10724 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10740 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-2449 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-5924 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-2625 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10736 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7671
    
 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-8024 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10681 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10738 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-2228 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-11637 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10795 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1104 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10803 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1413 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7887
    
 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-2751 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-3565 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10713 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10723 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1422 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-11126 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7841 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7707 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7874 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10739
    
 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-8131 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10865 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10720 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10664 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-8049 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-6110 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1108 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10727 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10792 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-2353
    
 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10700 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7993 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10804 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10685 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10728 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1113 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-5706 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-8030 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-2784 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10741
    
 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1439 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1107 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10731 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-5602 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10116 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-5705 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1105 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-2652 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10665 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-6126
    
 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10775 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-8079 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10632 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7909 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7919 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1106 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7990 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-2304 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1223 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10806
    
 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1412 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7613 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-8008 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10726 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7908 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-8135 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-8083 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-5863 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10729 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10714
    
 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10867 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-5704 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-8611 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-5865 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-512 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10777 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-2786 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-11141 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-11615 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-5864
    
    
 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-8051 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-8031 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10732 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1139 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7885 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1489 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-5776 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10891 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1433 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7812
    
    
 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10666 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-5755 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1418 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-11612 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-1483 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-8050 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-5146 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10838 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7953 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10895
    
 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-10609 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-518 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-519 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-18-1 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-7636 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid 
 S-1-5-21-288254211-2898031401-238993119-571 
 http://schemas.microsoft.com/ws/2014/01/identity/claims/accountstore 
 AD AUTHORITY 
 http://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname 
 http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime 
 2021-03-xxx
 http://schemas.microsoft.com/ws/2013/11/alternateloginid 
 user.name@XXXX.com
    
 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod 
 http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password 
 http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 
 2020-12-28T20:08:00.590Z 
 http://schemas.microsoft.com/claims/authnmethodsproviders 
 FormsAuthentication 
 http://schemas.microsoft.com/ws/2017/04/identity/claims/accountthrottled 
 false 
 http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path 
 /adfs/services/trust/2005/usernamemixed 
 http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork 
 true 
 http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id 
 f1b6e89c-f5cf-403b-bc6e-2262c88394d8 
 http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip 
 168.61.XXX.XXX 
 http://schemas.microsoft.com/2014/09/requestcontext/claims/userip 
 168.61.XXX.XXX
 http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname 
 DOMAIN\XXXXX
    
 More information for the event entry with Instance ID 2681fa01-1ef5-4eb2-aec9-b79545fba569. There may be more events with the same Instance ID with more information. 
    
 Instance ID: 
 2681fa01-1ef5-4eb2-aec9-b79545fba569 
     
 Caller identity: 
 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn 
 user.name@domain.com 
 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn 
 user.name@domain.local 
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Did you ever get to the bottom of this issue, as we are having the same problem exactly?

1 Vote 1 ·