While trying to access ADFS federation metadata or trying to access CRM Org (configured for Claims Based Authentication) will produce the following errors if ADFS Token-signing and Token-decryption certificates are expired.
As viewed from ADFS Management Console:
The thumbprint values in the Error Logs can also be viewed through PS Command as shown below:
- Update Token-Signing and Token-Decrypting certificate
Running the above will add a pair of under Token-Signing and Token-Decrypting certificates
Run the PS Command Set-AdfsProperties -AutoCertificateRollover $false and delete the secondary certificate from the ADFS Management console view.
Ensure that the certificate chain is installed correctly under Trusted Root Certification Authorities
After the renewing the Token-Signing and Token-Decrypting certificates the Federationmetadata endpoint should now be accessible.