While trying to access ADFS federation metadata or trying to access CRM Org (configured for Claims Based Authentication) will produce the following errors if ADFS Token-signing and Token-decryption certificates are expired.

As viewed from ADFS Management Console:

The thumbprint values in the Error Logs can also be viewed through PS Command as shown below:

1. Update Token-Signing and Token-Decrypting certificate

Running the above will add a pair of under Token-Signing and Token-Decrypting certificates

Run the PS Command Set-AdfsProperties -AutoCertificateRollover $false and delete the secondary certificate from the ADFS Management console view.

Ensure that the certificate chain is installed correctly under Trusted Root Certification Authorities

After the renewing the Token-Signing and Token-Decrypting certificates the Federationmetadata endpoint should now be accessible.