http://cognettacloud.com/?p=617(转)
When implementing ADFS to support Internet Facing Deployments (IFD) for CRM 2011 Claims Based Authentication, many administrators will experience an ADFS 503 error when trying the endpoint for both internal CRM and auth within a browser. The error message is usually 503, service not available. A simple IISreset might do the trick but for these cases it will not.
Previously, the undocumented fix was to use the handlers/FederationMetadata.ashx URL instead of the complete https://internalcrm.domain.com/FederationMetadata/2007–06/FederationMetadata.xml.
The issue behind why the 503 occurs, is because the URL was previously reserved in the Access Control List (ACL). Because of how the URL’s are reserved (before instead of after installation) and change of bindings and ports will leave the reserve URL already in place for /FederationMetadata/2007-06 etc.
From the CRM Server (or ADFS for external trust), using an adminstrative command prompt, issue the following command:
netsh http show urlacl (note: you can also use the > to pipe the output to a text file etc)
You are looking for the reservations made by ADFS:
Now delete the old URL reserveration by entering the following command:
netsh http delete urlacl url=https://+:443/FederationMetadata/2007-06
The URL has been deleted, you will need to reconfigure Claims Based but clicking on the wizard in the deployment manger again, re-stepping through the same steps (next,next,next etc). Now try the URL again and the ADFS 503 error will be gone!
Special thanks to Dan Francis @ Microsoft for contiuning to share ADFS tips together. Enjoy.