Table of Contents



Credit for this solution goes to Anthony Ho, who provided this answer in our forums.  

Thanks Gil Olsen and Bruce Davis for assistance finding and testing this solution, and Mark Shoemaker for posting straightforward instructions here.


When registering for SSPR, the user receives error 3008 after providing answers to the registration questions.  We see the error (event ID 54) in the event log:

FIM Password Registration Portal failure to connect to FIM Service
The FIM Password Registration Portal failed to connect to the FIM Service.
Ensure that
(1) the FIM Service is running,
(2) the FIM Service server address is correct in the web.config file on the FIM Password Registration Portal, and
(3) that network connectivity is available between the FIM Password Registration Portal and the FIM Service over the designated port.
An error occurred while receiving the HTTP response to http://fimserv:5726/ResourceManagementService/SecurityTokenService/Registration. This could be due to the service endpoint binding not using the HTTP protocol.
This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down).
See server logs for more details.
---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive.
---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
at System.Net.Sockets.NetworkStream.Read(Byte[]buffer, Int32 offset, Int32 size)
--- End of inner exception stack trace ---
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)
CauseIf you run into this error, you may notice that the user has in fact registered successfully despite the error.

Checking advanced attributes AuthNWorkflowRegistered in the FIM Portal should show they have registered for Password Reset.  

This issue is likely caused during installation, where the FIMService account supplied for the Service and Portal installation step is different than the FIMService account supplied in the Password Registration Portal installation step.  

Looking at a FIMService trace we see the following exception:

System.ServiceModel: System.Xml.XmlException:
There was an error serializing the security token.
Please see the inner exception for more details.
---> System.InvalidOperationException: The SamlAssertion could not be serialized to XML. Please see inner exception for details.
---> System.Security.Cryptography.CryptographicException: Keyset does not exist



Perform these steps on the server hosting the FIM Service.

  1. Download PsExec from here:
  2. Open a command prompt as administrator and run the command below
  3. psexec.exe -s -d -i cmd.exe
  4. In the new command prompt window that opens, type: mmc.exe
  5. Add the Certificate snap-in, select Computer Account radio button, then select Local Computer and Finish.
  6. Expand Certificates (Local Computer), Personal, then click on the Certificates folder.
  7. Right click on ForefrontIdentityManager and select Manage Private Keys...

  8. Add the FIMService account and give it read permission.
  9. Restart the FIMService


See Also