FIM 2010 R2 SSPR: Cannot access password registration portal - Error 3000

In a development environment, after upgrading to FIM 2010 R2, I configured (as you would) the new URLs and settings for the SSPR password registration and reset pages.  However, much to my surprise (or not), the registration site did not work as in another testing environment.  When prompted to click Next in order to begin the registration process, the portal would immediately throw the following error:

Looking at the administrative event logs, the following stream of events were occurring during the portal being accessed and after clicking Next:

The three errors state:

HttpContext.Current.User.Identity.Name is Null or Empty

Microsoft.IdentityManagement.CredentialManagement.Portal: System.Web.HttpUnhandledException: ScriptManager_AsyncPostBackError ---> System.InvalidOperationException: HttpContext.Current.User.Identity.Name is Null or Empty

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.GetDomainAndUserName(String& domain, String& userName)

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.InitiateRegistration()

at Microsoft.IdentityManagement.CredentialManagement.Portal.Registration.Next()

at System.Web.UI.WebControls.Button.OnClick(EventArgs e)

at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)

at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

--- End of inner exception stack trace ---

at Microsoft.IdentityManagement.CredentialManagement.Portal.Site.ScriptManager_AsyncPostBackError(Object sender, AsyncPostBackErrorEventArgs eventArgs)

at System.Web.UI.ScriptManager.OnAsyncPostBackError(AsyncPostBackErrorEventArgs e)

at System.Web.UI.PageRequestManager.OnPageError(Object sender, EventArgs e)

at System.Web.UI.TemplateControl.OnError(EventArgs e)

at System.Web.UI.Page.HandleError(Exception e)

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

at System.Web.UI.Page.ProcessRequest()

at System.Web.UI.Page.ProcessRequest(HttpContext context)

at ASP.default_aspx.ProcessRequest(HttpContext context)

at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

The error page was displayed to the user.

Details:

Title: Error

Message: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3000)

Source:

Attributes:

Details: System.InvalidOperationException: HttpContext.Current.User.Identity.Name is Null or Empty

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.GetDomainAndUserName(String& domain, String& userName)

at Microsoft.IdentityManagement.CredentialManagement.Portal.Components.RegistrationDriver.InitiateRegistration()

at Microsoft.IdentityManagement.CredentialManagement.Portal.Registration.Next()

at System.Web.UI.WebControls.Button.OnClick(EventArgs e)

at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)

at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

CorrelationId:

RequestId:

ErrorCode: 3000

CaughtTime: 12/19/2013 15:53:14

Web Portal: FIM Password Registration Portal 

After doing some research, I found the following very insightful articles by Tim Macaulay (Microsoft):

• MPR configuration issue producing error 3000 and/or 3004 (portal security): http://social.technet.microsoft.com/wiki/contents/articles/15372.troubleshooting-fim-sspr-error-3000-and-3004-not-authorized-to-register-for-password-reset.aspx
• IIS authentication issue due to improper Windows Authentication settings: http://social.technet.microsoft.com/wiki/contents/articles/15600.fim-troubleshooting-sspr-error-3000-value-cannot-be-null.aspx

Interestingly, the second article discussed disabling Kernel Mode Authentication, and yet, in the following article, it states per the SPN registration portal requirements:

The SSPR portals use IIS 7.0/7.5. IIS 7.0/7.5 has an authentication feature - 'Enable Kernel Mode Authentication'. With this feature the Kerberos ticket for the requested service is decrypted using Machine account (Local system) of the IIS server. It no longer depends upon the application pool Identity for this purpose. The following assumes that the password registration and reset portals are being accessed through a custom host header. In this instance the SPN is required only for the IIS machine account and not for our FIM Password Service account.

Therefore, having registered the machine name (DOMAIN\computername$) using the "setspn" command, as well as other configurations, I knew that Kerberos authentication had been set up properly, so WHAT WAS GOING ON!!

All this, and I noticed that Windows Authentication, after running setup, was disabled, with Anonymous authentication enabled.  These IIS settings may have been edited in the past, and were likely retained during the upgrade.  Also interesting is the fact that these are the settings for the password reset portal, which is correct.

Make sure the following configurations are set in IIS for the Password Registration portal:

 



Hope this helps!

-jose the admin