ADFS not receiveing role information for some users

Question

Our ADFS is no longer able to retrieve role information from Active Directory for some of our users. Two things happened around the time this issue started. The first was that the ADFS anchor claim type was changed from WindowsAccountName to UPN. The second is that our primary domain controller was rebuilt on new hardware.

The claims rule we use is below:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] 

 => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value); 

For some users this issues a role claim for each group membership as expected but for others no role claims are issued as though the tokenGroups attribute was empty. We've verified that the group memberships are in place and even checked that tokenGroups attribute is populated with a different application. Other attributes from Active Directory are retrieved and issued properly, however none of the tokenGroup based queries or memberOf are able to return information.

What could prevent a specific attribute from being retrieved from Active Directory and only for some users?

Answer 1

Did you test tokengroups query using another domain admin account or using the adfs service account?

If the adfs service account doesnt have the required privileges for doing the group membership queries based on the permissions defined on a user account, you may find it works for a subset of users.

Add the adfs service account to the Windows Authorization Access group. See https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#windows-authorization-access-group for more details of the group.