MIM 2016: Next button on SSPR does not work

Infrastructure

I have 2 SSPRs and 2 Portal servers. I have an NLB which routes traffic to the two Portal and SSPR..

Issue

When users connect to the Password Registration site, they get to the welcome page but the Next button is grayed out. The following error can be seen in the event viewer

System.Web.Extensions: System.Web.HttpException: This is an invalid script resource request.

   at System.Web.Handlers.ScriptResourceHandler.ProcessRequest(HttpContext context)

   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

When users connect, the Next button is not grayed out, but when they click Next, they get a message saying the session is timed out or ended.

Cause

If I turn off WWW service on 1 portal and 1 SSPR, everything works well, so the issue is that the NLB is not properly set. When the SSPR client makes a request to the portal, the request goes through 5725, the Portal creates a security token with the machine account and sends the token to the SSPR client via 5726. The client uses this token to communicate to the Portal, but each time it wants to talk to the Portal, the request goes to the NLB which will route it to the Portal. If Portal1 sends a token to the client but the NLB routes the message to Portal2, the message will be rejected because Portal2 cannot decrypt the message.

Solution

There are two solutions

Set the same machine code across the farm.

I would not recommend this option (a bit more of an overhead to maintain) but its an option.

  1. For the Portal. Go to one Portal1. Open the web.config file of the Portal website (under c:\Inetput\wwwroot)
  2. Go to the MachineKey section in the file. Copy the Machine Key and decryption key.
  3. Go to Portal2. Open the web.config of the Portal website.
  4. Go to the MachineKey section, paste the Machine Key and decryption key

Set correct NLB settings

I would recommend this option. This article has very good information on NLB settings for FIM/MIM.

  1. For the Portal, set NLB to route to 5725 and 5726
  2. For SSPR and Portal, set NLB to route 80 to 443
  3. For SSPR and Portal, set NLB to maintain sticky or cookie sessions.

One thought on “MIM 2016: Next button on SSPR does not work

  1. Pingback: MIM 2016: On Approvals, SPNs, NLBs, DNS and Browser settings | tlktechidentitythoughts

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s