The Federation Service encountered an error while generating a token for a Windows NT token-based application. The token ...

The Federation Service encountered an error while generating a token for a Windows NT token-based application. The token from the account partner does not contain a user principal name (UPN) claim, an e-mail claim, or group claims that can be mapped to Active Directory Domain Services groups. 

This token request will fail. 

User Action 
Ensure that configuration settings are consistent between this Federation Service and the account partner. The Federation Service is configured to determine whether a shadow account should be used based on the presence of a UPN or e-mail claim in the token at the time of the authentication. In this case, no UPN or e-mail claim was present; however, no groups that could be mapped to Active Directory Domain Services groups were present. Ensure the following: (1) the local account setting for this partner is correct, (2) organization groups have properly configured mappings to Active Directory Domain Services groups, (3) the account partner is including the correct claims for this user: if a user has a shadow account, the token should contain a UPN or e-mail claim; otherwise; the token should contain group claims that can be mapped to Active Directory Domain Services groups.