After configuring Active Directory Federation Services to synchronize the company AD to Azure AD it's time to start Office 365. Suprisingly sometimes an error occurs when a user is connecting to the configured company ADFS server, stating the connection failed with an error AADSTS50107?



This error is only affecting specific AD users which seem to synchronized correct to the Azure AD. Even creating a copy of the same user recreates the samen issue? So how to solve this?



Rejected Solution



To solve this issue one must determine which AD group or groups are responsible for this issue. So dump all AD groups the user is member of and split those AD groups in somewhat equal chunks. After that, delete all AD groups from that user and start importing the chunks one by one. Test the Office 365 logon between the imports. In my case there was one AD group which was member of a lot of subsequent AD groups. At first I thought this caused the token to grow beyond the maximum size used by ADFS resulting in blocking the user from correct authentication, so I deleted the group from the user.



Real Solution



I'm not really sure the token size was to big to interact with ADFS, but adding that one AD group back to the user recreated the issue, deleting it from the user solved the issue. Last week I ran into a similar issue with another user and again I could pinpoint the issue to a specific AD group (another AD group as above). I decided to try the same, so I deleted the AD group from the user and he could access the Office with no issue. Adding the group back to the user resulted in the same error! Not happy with the solution used earlier I deciced to investigate the issue further. I changed the name with no improvements. I added my own account to the AD group and yes, the same issue! I than decided to delete the AD group and recreate the AD group with the same name, members and properties (it was a security AD group used to set NTFS rights). Issue solved! It looks that the ADFS issue can have something to do with specific AD groups conflicting with ADFS!



After some testing with the AD group casuing the issue, restored using Veeam, I found out the issue is described in this article. Within ADFS there is a rule searching for a group ending on *515, which can return not only the Domain Computers group but also all other groups ending on 515. Putting a '-' before the 515 solves the issue!



There are not a lot of articles out there about this issue, so if this article helps you, please share it.



 


No comments

The author does not allow comments to this entry