ADFS - web server error

I am trying to configure an NT-token based app. The configuration seems to be
fine when checked with the ADFS diagnostics tool on the web server. I do not
have access to the Account FS or the Resource FS as they are hosted elsewhere
but they seem to be working fine as I am able to successfully login. After
logging in I get access denied to my application and the following errors
show up in the event logs.

Application log: ADFS ISAPI Extension error

The ADFS Web Agent Internet Server Application Programming Interface (ISAPI)
Extension was unable to obtain a Windows NT token from the authentication
service.

An anonymous token will be generated for this request.


Security log:

Error 1:

The user has not been granted the requested
logon type at this machine

Logon Type: 3

Error 2: ADFS Web Agent Authentication Service Auditor

The client presented a valid XML token, but an error occurred during the
attempt to generate a Windows NT token from the security IDs (SIDs). The
error code was 1385.


I have created shadow accounts and we are using UPN claims. I have added the
necessary UPN suffixes in the AD of which the web server is a member.

What am I missing?

Let me know if I need to provide more information.

Regards,
Avis

1385 = "the user has not been granted the required logon type on this
computer". That usually means that something in the local security policy
has changed the policy in regards to the logon type which in this case is
"3" which means network login.

Check in secpol.msc to see if someone has removed the "authenticated users"
group from the "access this computer from the network" security policy.

There may also be something else weird going on with the login but I'd start
there to see if that might help.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Avis" <> wrote in message
news:8B1FD9B3-1499-42E2-9F5F-...
>I am trying to configure an NT-token based app. The configuration seems to
>be
> fine when checked with the ADFS diagnostics tool on the web server. I do
> not
> have access to the Account FS or the Resource FS as they are hosted
> elsewhere
> but they seem to be working fine as I am able to successfully login. After
> logging in I get access denied to my application and the following errors
> show up in the event logs.
>
> Application log: ADFS ISAPI Extension error
>
> The ADFS Web Agent Internet Server Application Programming Interface
> (ISAPI)
> Extension was unable to obtain a Windows NT token from the authentication
> service.
>
> An anonymous token will be generated for this request.
>
>
> Security log:
>
> Error 1:
>
> The user has not been granted the requested
> logon type at this machine
>
> Logon Type: 3
>
> Error 2: ADFS Web Agent Authentication Service Auditor
>
> The client presented a valid XML token, but an error occurred during the
> attempt to generate a Windows NT token from the security IDs (SIDs). The
> error code was 1385.
>
>
> I have created shadow accounts and we are using UPN claims. I have added
> the
> necessary UPN suffixes in the AD of which the web server is a member.
>
> What am I missing?
>
> Let me know if I need to provide more information.
>
> Regards,
> Avis
>