This has been resolved, but I wanted to throw it out here in case anyone runs across the same issue. A client had a new installation of CRM 2011 (Rollup 8) in a 'test' environment using self-signed certificates. Browsing to the <a href="https:///FederationMetadata/2007-06/FederationMetadata.xml">https://<crm_url>/FederationMetadata/2007-06/FederationMetadata.xml resulted in an error message "Invalid provider type specified." The trace detail is appended at the end of this post. Since that URL did not work, we could not finish configuring Claims-based access from within ADFS.
Long story short, the issue was that the self-signed certificate was generated using Windows 2008 CA using the 2008 (v3) template, instead of the 2003 (v2) template, and after re-generating a self-signed certificate using the 2003 template, everything started working again.
[2012-08-20 13:42:52.258] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread: 22 |Category: Platform |User: 00000000-0000-0000-0000-000000000000 |Level: Error |ReqId: 8947a20f-f821-4082-962f-e7f8421a5952 | ExceptionConverter.ConvertMessageAndErrorCode
>System.Security.Cryptography.CryptographicException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #287B825A: System.Security.Cryptography.CryptographicException: Invalid provider type specified.
>
> at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
> at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
> at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
> at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
> at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
> at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetAsymmetricAlgorithm(String algorithm, Boolean privateKey)
> at Microsoft.IdentityModel.Protocols.XmlSignature.SignedXml.ComputeSignature(SecurityKey signingKey)
> at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureWriter.ComputeSignature()
> at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureWriter.OnEndRootElement()
> at Microsoft.IdentityModel.Protocols.WSFederation.Metadata.MetadataSerializer.WriteEntityDescriptor(XmlWriter inputWriter, EntityDescriptor entityDescriptor)
> at Microsoft.IdentityModel.Protocols.WSFederation.Metadata.MetadataSerializer.WriteMetadata(Stream stream, MetadataBase metadata)
> at Microsoft.Crm.Authentication.Claims.MetadataGenerator.CreateFederationMetadata(Uri relyingPartyPassiveIdentifier, String certificateName, Stream stream)
> at Microsoft.Crm.Authentication.Claims.MetadataGenerator.GenerateCrmFederationMetadata(Stream stream)
> at Microsoft.Crm.Application.Components.Handlers.FederationMetadata.ProcessRequestInternal(HttpContext context)
> at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
> at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)