MIM 2016: Next button on SSPR does not work


I have 2 SSPRs and 2 Portal servers. I have an NLB which routes traffic to the two Portal and SSPR..


When users connect to the Password Registration site, they get to the welcome page but the Next button is grayed out. The following error can be seen in the event viewer

System.Web.Extensions: System.Web.HttpException: This is an invalid script resource request.

   at System.Web.Handlers.ScriptResourceHandler.ProcessRequest(HttpContext context)

   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

When users connect, the Next button is not grayed out, but when they click Next, they get a message saying the session is timed out or ended.


If I turn off WWW service on 1 portal and 1 SSPR, everything works well, so the issue is that the NLB is not properly set. When the SSPR client makes a request to the portal, the request goes through 5725, the Portal creates a security token with the machine account and sends the token to the SSPR client via 5726. The client uses this token to communicate to the Portal, but each time it wants to talk to the Portal, the request goes to the NLB which will route it to the Portal. If Portal1 sends a token to the client but the NLB routes the message to Portal2, the message will be rejected because Portal2 cannot decrypt the message.


There are two solutions

Set the same machine code across the farm.

I would not recommend this option (a bit more of an overhead to maintain) but its an option.

  1. For the Portal. Go to one Portal1. Open the web.config file of the Portal website (under c:\Inetput\wwwroot)
  2. Go to the MachineKey section in the file. Copy the Machine Key and decryption key.
  3. Go to Portal2. Open the web.config of the Portal website.
  4. Go to the MachineKey section, paste the Machine Key and decryption key

Set correct NLB settings

I would recommend this option. This article has very good information on NLB settings for FIM/MIM.

  1. For the Portal, set NLB to route to 5725 and 5726
  2. For SSPR and Portal, set NLB to route 80 to 443
  3. For SSPR and Portal, set NLB to maintain sticky or cookie sessions.