When the ADFS Token-sgining and Token-Decrypting certificates in ADFS are automatically renewed, users in CRM might not be able to login. They receive HTTP 401 Unauthorized Access is denied errors. or “An Error Occured”

To remove the expired token certificate you will need to use PowerShell, To add the ADFS commands, in PowerShell type:

add-pssnapin microsoft.adfs.powershell

Then to delete the expired certificate, use the following command twice, once for the Token-Signing certificate and once for the Token-Decryption certificate.

remove-adfscertificate -certificatetype "certificate type" -Thumbprint "thumbprint"

Where certificate type is Token-Signing or Token-Encryption.

You can use -urgent on the ADFS server to move the Secondary to the Primary

Update-ADFSCertificate -CertificateType token-signing -urgent
Update-ADFSCertificate -CertificateType token-decrypting -urgent

This occurs because CRM is still using the expired ADFS token certificates.

on the CRM Server

iisreset

To resolve this Disable Claims-based Authentication and Internet-Facing deployment in CRM.

Update the claims on the ADFS Server

Restart CRM Server