MIM 2016: SSPR Error 3001 or 3008

My SSPR is installed on a separate server from the FIM service server. After installing (this can also happen after a MIM Upgrade), I discover the following errors from the SSPR websites. I can get to the first page but when I click next, which is when the SSPR attempts communication with the FIM service I get

Error 3001 on the Password reset: Access denied

Error 3008 on the Password registration: Failure to communicate with the FIM service.

There are a host of items to check but I will talk about one item which resolved it for me.

When SSPR communicates with the FIM service it does so with the app_pool account that you specified when you installed the SSPR. FIM service will first, try and verify the requestor by checking its own record of which account manages the SSPR. This information is requested during the install process through this screen

Do NOT ignore this screen especially if your SSPR is on another server. If you have SSPR, make sure you check both boxes and enter the ID. MIM will take the ID, get the SID from AD and put it in the registry under HKLM\CurrentControlSet\Services\FIMService\PasswordRegistrtionServiceAccountSID and HKLM\CurrentControlSet\Services\FIMService\PasswordResetServiceAccountSID.

If you install SSPR later on another server, come back to your FIM Service server, run the setup again, choose change and select these options.