When the ADFS Token-sgining and Token-Decrypting certificates in ADFS are automatically renewed, users in CRM might not be able to login. They receive HTTP 401 Unauthorized Access is denied errors.

This occurs because CRM is still using the expired ADFS token certificates. To resolve this reconfigure Claims-based Authentication and Internet-Facing deployment in CRM.

This article has more details: http://support.microsoft.com/kb/2686840

To remove the expired token certificate you will need to use PowerShell, To add the ADFS commands, in PowerShell type:

add-pssnapin microsoft.adfs.powershell

Then to delete the expired certificate, use the following command twice, once for the Token-Signing certificate and once for the Token-Decryption certificate.

remove-adfscertificate -certificatetype "certificate type" -Thumbprint "thumbprint"

Where certificate type is Token-Signing or Token-Encryption.