ID3242: The security token could not be authenticated or authorized.
After a lot of soul searching and hair pulling, we realized that the issue might be with the encryption certificate as the ADFS server cannot get to the CRL distribution point of the encryption certificate, due to the firewall.
This can be sorted out with these commands:
Add-PSSnapin Microsoft.ADFS.PowerShell (Import-Module ADFS - if using Win2k12 R2)
Set-ADFSRelyingPartyTrust -TargetName <name> -EncryptionCertificateRevocationCheck None
Set-ADFSRelyingPartyTrust -TargetName <name> -SigningCertificateRevocationCheck NoneWe also set the signing certificate revocation check to none, although I think this is not needed, but there seems to be some reluctance to remove it.
Edit:
I write most of my posts well in advance and I'm not 100% that this is entirely correct. I'd like to say that I will check to make sure, but it's extremely unlikely.
Edit 2:
In our case it seems that this is indeed the solution as the ADFS server cannot get to the CRL Distribution Point, which causes issues :), which is why disabling the Revocation Checks on the certificates works.