Here’s a quick tip to help you with ADFS service accounts.  The ADFS service accounts used by the application for authentication requires both “Log on as service” and “Log on as batch” access rights.

When does this become an issue? When GPOs lock down access rights, this can potentially remove the “log on as batch” or “Log on as service” access rights to the ADFS service account.

This will result in 503 Service unavailable errors from the ADFS App Pool in IIS with generic Event ID Errors.

Further Reference