I am trying to implement AjaxControlToolkit NoBot but I always get false from IsValid() method (the state value is always InvalidBadResponse). Am I missing something here?

ASCX code:

// buttons, textboxes etc.
<asp:NoBot ID="NoBot1" 
           runat="server"             
           CutoffMaximumInstances="5" 
           CutoffWindowSeconds="60" 
           ResponseMinimumDelaySeconds="2"
           />

Code behind:

protected void Button1_Click(object sender, EventArgs e)
{
    AjaxControlToolkit.NoBotState state;

    if (!NoBot1.IsValid(out state))
    {
        Page page = HttpContext.Current.Handler as Page;
        ScriptManager.RegisterStartupScript(page, page.GetType(), "err_msg", "alert('" + " BOT " + "');", true);
    }
     else
    { ...}
}

Far more weird is this: I enter data for login and click on asp button. NoBot state is InvalidBadResponse and it fails. But, then I click on browser's refresh button it asks me to resend request I say ok and now state is valid! Why?

The only reason I know of that you'll get an "InvalidBadResponse" from the NoBot control is if you have javascript disabled in your browser. The documentation page states that one of the techniques used by NoBot is

Forcing the client's browser to perform a configurable JavaScript calculation and verifying the result as part of the postback. (Ex: the calculation may be a simple numeric one, or may also involve the DOM for added assurance that a browser is involved)

An "InvalidBadRespone" message means that the javascript did not get executed (also from the link above):

InvalidBadResponse: An invalid response was provided to the challenge suggesting the challenge script was not run

I would double check your browser settings. I've tested this by disabling javascript in my browser (just to make sure) and trying the example on the documentation page.

You can customize the calculation using the OnGenerateChallengeAndResponse attribute to specify an Event Handler. I good example of implementing one such event handler is this (code credit to this post):

protected void PageNoBot_GenerateChallengeAndResponse(object sender, AjaxControlToolkit.NoBotEventArgs e)
{
    Random r = new
    Random();

    int iFirst = r.Next(100);

    int iSecond = r.Next(100);
    e.ChallengeScript = String.Format("eval('{0}+{1}')", iFirst, iSecond);
    e.RequiredResponse = Convert.ToString(iFirst + iSecond);  
}

Please refer this

http://www.asp.net/ajaxlibrary/AjaxControlToolkitSampleSite/NoBot/NoBot.aspx

http://www.asp.net/ajaxlibrary/HOW%20TO%20Use%20the%20NoBot%20Control.ashx

As mentioned in other answers, InvalidBadResponse is due to the Javascript challenge failing.

The problem:

The reason it was failing for me was because the ASP.NET ajax libraries needed to run this were failing to load; have a look at your browser's javascript debugger; this is what mine (in Chrome) looked like

As you can see, the .axd files were not being served and the error ASP.NET Ajax client-side framework failed to load error was pretty telling.

The cause: (in my case)

I had an url re-write rule that accidentally altered the .axd urls - causing them not to be served.

I would recommend checking your web.config, if needed adding the line

<add input="{URL}" pattern="\.axd$" negate="true"/>

to your rules and this

routes.Ignore("{resource}.axd/{*pathInfo}");

in your Global.asax (if you have one) where (and if) you register routes.

Check this SO answer out: Ajax client-side framework failed to load Asp.Net 4.0

Another possible cause might be the ViewStateMode of the master, page or control being set to Disabled. Seems that it needs to be Enabled for the NoBot to work properly.

I was doing some tests with ViewStateMode="Disabled" on my CMS's Master page, and NoBotState started to return InvalidBadResponses on my login page. Changing it to ViewStateMode="Enabled" fixed it for me.