I recently rolled out the Password Reset Client to a control group of users. Some are able to register and some are not. They receive a generic error asking them to contact their administrator after answering the questions in the last QA Bank. I set verbose logging on the client and I see three errors in succession, the first two being An error occured when processing the security tokens in this message" errors. Stack traces in order: <E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"> <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"> <EventID>3</EventID> <Type>3</Type> <SubType Name="Error">0</SubType> <Level>2</Level> <TimeCreated SystemTime="2010-10-08T21:15:18.8556312Z" /> <Source Name="Microsoft.ResourceManagement" /> <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" /> <Execution ProcessName="PwdMgmtProxy" ProcessID="1752" ThreadID="9" /> <Channel /> <Computer>6731752NIT265</Computer> </System> <ApplicationData>mscorlib: System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when processing the security tokens in the message. --- End of inner exception stack trace --- Server stack trace: at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ContextRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.ResourceManagement.WebServices.WSTransfer.IResource.Put(Message request) at Microsoft.ResourceManagement.WebServices.ResourceClient.Put(Message request) at Microsoft.ResourceManagement.WebServices.ResourceClient.Put(UniqueIdentifier objectId, CultureInfo locale, Put putBody) at Microsoft.ResourceManagement.WebServices.Client.Resource.Update() <System.Diagnostics xmlns="http://schemas.microsoft.com/2004/08/System.Diagnostics"> <LogicalOperationStack></LogicalOperationStack> <Timestamp>14934236472</Timestamp> <Callstack> at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo) at System.Environment.get_StackTrace() at System.Diagnostics.TraceEventCache.get_Callstack() at System.Diagnostics.XmlWriterTraceListener.WriteFooter(TraceEventCache eventCache) at System.Diagnostics.XmlWriterTraceListener.TraceEvent(TraceEventCache eventCache, String source, TraceEventType eventType, Int32 id, String format, Object[] args) at System.Diagnostics.TraceSource.TraceEvent(TraceEventType eventType, Int32 id, String format, Object[] args) at Microsoft.ResourceManagement.Utilities.LoggingManager.LogError(String formatString, Object[] arguments) at Microsoft.ResourceManagement.Utilities.LoggingManager.ReportError(Exception exception) at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.PrepareException(Exception exception) at Microsoft.ResourceManagement.WebServices.Client.Resource.Update() at Microsoft.ResourceManagement.WebServices.ResourceManager.ResumableUpdate() at Microsoft.ResourceManagement.WebServices.ResourceManager.Resume(ContextualSecurityToken securityToken) at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.ReadGetNGateMsg(ClientPipeContext& client, Boolean registering) at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.GetNextGate(ClientPipeContext& client, Boolean registering) at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.Register(ClientPipeContext& client) at Microsoft.IdentityManagement.PasswordReset.PasswordManagementProxy.PipeCommunicationThread(Object context) at Microsoft.IdentityManagement.PasswordReset.ClientPipeContext.<>c__DisplayClass1.<Start>b__0() at System.Threading.ThreadHelper.ThreadStart_Context(Object state) at System.Threading.ExecutionContext.runTryCode(Object userData) at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ThreadHelper.ThreadStart() </Callstack> </System.Diagnostics> </ApplicationData> </E2ETraceEvent> <E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"> <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"> <EventID>3</EventID> <Type>3</Type> <SubType Name="Error">0</SubType> <Level>2</Level> <TimeCreated SystemTime="2010-10-08T21:15:18.9457626Z" /> <Source Name="Microsoft.ResourceManagement" /> <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" /> <Execution ProcessName="PwdMgmtProxy" ProcessID="1752" ThreadID="9" /> <Channel /> <Computer>6731752NIT265</Computer> </System> <ApplicationData>mscorlib: System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when processing the security tokens in the message. --- End of inner exception stack trace --- Server stack trace: at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ContextRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at Microsoft.ResourceManagement.WebServices.Client.Resource.Update() at Microsoft.ResourceManagement.WebServices.ResourceManager.ResumableUpdate() at Microsoft.ResourceManagement.WebServices.ResourceManager.Resume(ContextualSecurityToken securityToken) at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.ReadGetNGateMsg(ClientPipeContext& client, Boolean registering) <System.Diagnostics xmlns="http://schemas.microsoft.com/2004/08/System.Diagnostics"> <LogicalOperationStack></LogicalOperationStack> <Timestamp>14934561569</Timestamp> <Callstack> at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo) at System.Environment.get_StackTrace() at System.Diagnostics.TraceEventCache.get_Callstack() at System.Diagnostics.XmlWriterTraceListener.WriteFooter(TraceEventCache eventCache) at System.Diagnostics.XmlWriterTraceListener.TraceEvent(TraceEventCache eventCache, String source, TraceEventType eventType, Int32 id, String format, Object[] args) at System.Diagnostics.TraceSource.TraceEvent(TraceEventType eventType, Int32 id, String format, Object[] args) at Microsoft.ResourceManagement.Utilities.LoggingManager.LogError(String formatString, Object[] arguments) at Microsoft.ResourceManagement.Utilities.LoggingManager.ReportError(Exception exception) at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.ReadGetNGateMsg(ClientPipeContext& client, Boolean registering) at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.GetNextGate(ClientPipeContext& client, Boolean registering) at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.Register(ClientPipeContext& client) at Microsoft.IdentityManagement.PasswordReset.PasswordManagementProxy.PipeCommunicationThread(Object context) at Microsoft.IdentityManagement.PasswordReset.ClientPipeContext.<>c__DisplayClass1.<Start>b__0() at System.Threading.ThreadHelper.ThreadStart_Context(Object state) at System.Threading.ExecutionContext.runTryCode(Object userData) at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ThreadHelper.ThreadStart() </Callstack> </System.Diagnostics> </ApplicationData> </E2ETraceEvent> <E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"> <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"> <EventID>3</EventID> <Type>3</Type> <SubType Name="Error">0</SubType> <Level>2</Level> <TimeCreated SystemTime="2010-10-08T21:15:18.9457626Z" /> <Source Name="Microsoft.ResourceManagement" /> <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" /> <Execution ProcessName="PwdMgmtProxy" ProcessID="1752" ThreadID="9" /> <Channel /> <Computer>6731752NIT265</Computer> </System> <ApplicationData>PwdMgmtProxy: Microsoft.IdentityManagement.PasswordReset.Utilities.UserFailureException: The user provided a bad challenge response. at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.WriteGetNGateMsg(ClientPipeContext& client) at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.GetNextGate(ClientPipeContext& client, Boolean registering) at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.Register(ClientPipeContext& client) at Microsoft.IdentityManagement.PasswordReset.PasswordManagementProxy.PipeCommunicationThread(Object context) <System.Diagnostics xmlns="http://schemas.microsoft.com/2004/08/System.Diagnostics"> <LogicalOperationStack></LogicalOperationStack> <Timestamp>14934575352</Timestamp> <Callstack> at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo) at System.Environment.get_StackTrace() at System.Diagnostics.TraceEventCache.get_Callstack() at System.Diagnostics.XmlWriterTraceListener.WriteFooter(TraceEventCache eventCache) at System.Diagnostics.XmlWriterTraceListener.TraceEvent(TraceEventCache eventCache, String source, TraceEventType eventType, Int32 id, String format, Object[] args) at System.Diagnostics.TraceSource.TraceEvent(TraceEventType eventType, Int32 id, String format, Object[] args) at Microsoft.ResourceManagement.Utilities.LoggingManager.LogError(String formatString, Object[] arguments) at Microsoft.ResourceManagement.Utilities.LoggingManager.ReportError(Exception exception) at Microsoft.IdentityManagement.PasswordReset.PasswordManagementProxy.PipeCommunicationThread(Object context) at Microsoft.IdentityManagement.PasswordReset.ClientPipeContext.<>c__DisplayClass1.<Start>b__0() at System.Threading.ThreadHelper.ThreadStart_Context(Object state) at System.Threading.ExecutionContext.runTryCode(Object userData) at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ThreadHelper.ThreadStart() </Callstack> </System.Diagnostics> </ApplicationData> </E2ETraceEvent>

If you enabled verbose logging, you should have some form of tracelog aswell. it would be nice if you could upload that somewhere. One thing which comes into my mind: are you sure the PC's from which the registration is being performed (and fails) are hapilly in the domain? One of the pre-requisites for SSPR registration/reset is that the client-domain channel is healthy. If in doubt, try to execute gpupdate and see if that comes back with no erros. It's an easy test, but if that one fails, that's not a good sign. If that's ok, I would try to figure out whether it's user specific, or machine specific: try a user which succeeded at machine A to register again at an other machine where user B failed to register. You can trigger the registration wizard at the cmd prompt by executing "mspwdregistration -all"http://setspn.blogspot.com

Good idea, I will try that. And I thought the server-side stack trace was in the XML, it appears I was mistaken. Here is the application data from the trace viewer. mscorlib: System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when processing the security tokens in the message. --- End of inner exception stack trace --- Server stack trace: at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ContextRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.ResourceManagement.WebServices.WSTransfer.IResource.Put(Message request) at Microsoft.ResourceManagement.WebServices.ResourceClient.Put(Message request) at Microsoft.ResourceManagement.WebServices.ResourceClient.Put(UniqueIdentifier objectId, CultureInfo locale, Put putBody) at Microsoft.ResourceManagement.WebServices.Client.Resource.Update() Error 2: mscorlib: System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when processing the security tokens in the message. --- End of inner exception stack trace --- Server stack trace: at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ContextRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at Microsoft.ResourceManagement.WebServices.Client.Resource.Update() at Microsoft.ResourceManagement.WebServices.ResourceManager.ResumableUpdate() at Microsoft.ResourceManagement.WebServices.ResourceManager.Resume(ContextualSecurityToken securityToken) at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.ReadGetNGateMsg(ClientPipeContext& client, Boolean registering) Error 3: PwdMgmtProxy: Microsoft.IdentityManagement.PasswordReset.Utilities.UserFailureException: The user provided a bad challenge response. at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.WriteGetNGateMsg(ClientPipeContext& client) at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.GetNextGate(ClientPipeContext& client, Boolean registering) at Microsoft.IdentityManagement.PasswordReset.PasswordResetOperation.Register(ClientPipeContext& client) at Microsoft.IdentityManagement.PasswordReset.PasswordManagementProxy.PipeCommunicationThread(Object context)

Update: I just had a user who cannot register for SSPR try from a different workstation. They received the same error. This workstation is a clean virtual of Windows XP SP3, where I successfully registered a test AD account.

please include both client and server trace

Derek, If you want more detailed information on enabling traces for client and server: http://blogs.technet.com/b/aho/archive/2010/09/29/troubleshooting-fimservice-fimportal-password-reset-client.aspx or http://setspn.blogspot.com/2010/09/fim-2010-sspr-client-extension-advanced.html http://setspn.blogspot.com/2010/06/fim-2010-enable-advanced-error-logging.html Perhaps two additional questions: Are the test user and the failing user in the FIM Portal more or less equal? I mean concerning SSPR set memberships Is the user for which fails member of a lot of groups? http://setspn.blogspot.com

No more groups than me or anyone else, and I and some others can register successfully. All users are members of the SSPR users set, otherwise they wouldn't be presented with registration on logon. All the required MPR's granting permissions are on and enabled, otherwise no one would be able to register. My most recent step is deleting the MV and FIM MA objects for a user and allowing them to provision again. This will tell me if it is a problem with the MV or FIM MA objects or with something else.

Regarding the group membership thingy: make sure you take nested groups into account, they all count. This can be evaluated (reported) using ntdsutil: group membership evaluation An easy way to test is duplicate the user having the problem in AD to a test account. Then provision to FIM (if you have this flow). And then test with the dummy user. If you have the issue with the dummy user, you can stop bugging the real user as well.http://setspn.blogspot.com