The Federation Service encountered an error while generating a token for a Windows NT token-based application. The token ...

The Federation Service encountered an error while generating a token for a Windows NT token-based application. The token from the account partner does not contain a user principal name (UPN) claim, an e-mail claim, or group claims that can be mapped to Active Directory Domain Services groups. 

This token request will fail. 

User Action 
Ensure that configuration settings are consistent between this Federation Service and the account partner. The Federation Service is configured to determine whether a shadow account should be used based on the presence of a groups claims that can be mapped to Active Directory Domain Services groups in the token at the time of the authentication. In this case, no such groups were present; however, no UPN or e-mail claim was present. Ensure the following: (1) the local account setting for this partner is correct, (2) organization groups have properly configured mappings to Active Directory Domain Services groups, (3) the account partner is including the correct claims for this user: if no groups that can be mapped to an Active Directory Domain Services group have been included in the token, a UPN or e-mail claim must be present.