Share via

Error AADSTS50107 when trying ADFS Logon via SubDomain.

정석원_MS 1 Reputation point
2023-03-06T05:14:34.71+00:00

hello.

I am trying to configure domain separation environment through SubDomain with Root Domain registered first.

Up to the procedure of registering SubDomain was successful, but when I tried ADFS log, AADSTS50107 error occurs.

User's image

Before attempting the claim generation script for multiple domains on the https://adfshelp.microsoft.com/AadTrustClaims/GenerateClaims page, we ask you to ensure that the procedure is correct.

  1. Is there any problem if the claim script created in the above page is executed without any modification?
  2. https://blog.kloud.com.au/2012/08/26/office-365-ad-fs-2-0-with-multiple-domains-and-subdomains-2/?cn-reloaded=1 Is it possible to use a method to modify the claim issuance policy regex performed on the page?

I would like to configure an account that is assigned an upn such as sub.contoso.com to successfully log in, which is what I'm finally trying to do.

Microsoft Security | Active Directory Federation Services
Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 45,016 Reputation points
    2023-03-07T08:24:04.6033333+00:00

    Hello

    Thank you for your question and reaching out. I can understand you are having query\issues related to ADFS error.

    This issue occurs for one of the following reasons:

    The Issuance Transform rule is required to change the issuer from the default Active Directory Federation Service (AD FS) instance host name to the issuer set if the domain that's federated is missing.

    The Issuance Transform rule is not updated after you add child domains.

    SOLUTION

    1. Go to Azure AD RPT Claim Rules, and then click Next. https://adfshelp.microsoft.com/AadTrustClaims/GenerateClaims
    2. Specify the value for Immutable ID (sourceAnchor) -> User Sign In (for example, UPN or mail). If multiple top-level domains are federated, select Yes when you are prompted to respond to "Does the Azure AD trust with AD FS support multiple domains?"
    3. Connect to the Microsoft 365 PowerShell, and then export the list of domains to a .csv file (for example, output.csv). To do this, run the following cmdlets:

    Import-Module MSOnline

    Connect-MsolService

    Get-MsolDomain | Select-Object Name, RootDomain, Authentication | ConvertTo-Csv -NoTypeInformation | % {$_.Replace('"','')} | Out-File output.csv

    1. Click Generate Claims, and then copy the PowerShell cmdlets from the Claim Rules section.
    2. Save the cmdlets as a PowerShell script (for example, updatelclaimrules.ps1), and then run the following command to run the script on the primary AD FS server:

    .\Updateclaims.ps1

    1. The script makes a Backup of the existing Issuance Transform rules as a .txt file in the current working directory.

    Reference :

    https://free.blessedness.top/en-us/microsoft-365/troubleshoot/authentication/cant-sign-in-office-365-multiple-domain-federation

    --If the reply is helpful, please Upvote and Accept as answer--

  2. Robert Burnett 0 Reputation points
    2025-10-21T19:26:51.2166667+00:00

    Check the AD UC user account properties if the account is not configured for AES 256 it will throw this error. Enable AES 256, rest password this will resolve this error.

    Robert

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.