If a user's UPN (user principal name) has been changed recently, they may receive an ADFS error when signing into the Egress Client (Internal AD FS error/CP-SVC: Failure calling CP service) or the web portal (Email claim not found).
The Egress Client logs will show if an email claim is not being passed e.g. CP-SVC: Failure calling CP service ---> System.ServiceModel.FaultException: Email claim is not found.
This error is usually due to the output claims being missing because the AD FS server holds a cache of user name to SID translation information.
This is explained further in this Microsoft TechNet article
If you are setting up ADFS integration for the first time, you may get this error with test accounts where a mailbox had not been linked to the account. This goes for other claims that we look for when creating the token.
This issue can be resolved by either:
- Rebooting the AD FS server which clears the LSA user name to SID translation cache.
- Change the LsaLookupCacheMaxSize registry key by following this Microsoft KB Guide