Unable to login to their CRM instance today, simply getting an error from ADFS. When checked in event logs there were a number of stack traces detailing the errors. This mentioned the certificate revocation check setting: "CheckChainExcludeRoot" and mentioned using some powershell.
Add-PSSnapin Microsoft.ADFS.PowerShell (Import-Module ADFS – if using Win2k12 R2)
Get-ADFSRelyingPartTrust | Where {$_.Name –eq <name>}
This powershell command set to "CheckChainExcludeRoot" so to test if it was this causing the issue:
Set-ADFSRelyingPartyTrust -TargetName <name> -EncryptionCertificateRevocationCheck None
This set the firewall to allow *.{certificate}.com. This certificate renewed recently and its details claims that the CRL url has been changed to something else which after adding it as an exception to our firewall all started working again and EncryptionCertificateRevovcationCheck setting back to "CheckChainExcludeRoot".
