I've found the cause of this bug.

On an IIS server, that does not support mod_rewrite, the JS variable for the form method (inviteurl, line 351 of tokens.js) ends up contianing something like this:

index.php?r=admin/tokens/sa/email/action/invite/surveyid/12345

This is not a valid form action. Any time a question mark is entered into a form's action attribute, the browser interprets it as a completely cleared query parameter, which ends up calling the root of the application.

Test case showing this:

http://home.turbogfx.net/test-form.php

How can this be fixed for IIS users?

Looking at older versions of LimeSurvey (2.06+) where this functionality was working, I noted one major difference:

The form generated when the Invite/Reminder buttons were clicked specified the method as "POST". LimeSurvey 2.5 160404 currently does not list any method at all, defaulting it to GET. POSTing to a form action that is a GET query itself is supported and works properly, so the fix for this is to add the following to scripts/admin/tokens.js, below line 351 and 376:

                    'method': 'POST',

Changing it to POST does not work for me, since I get this error:

The CSRF token could not be verified.

Yes, I also figured this out:

You must add this code (from LS 2.06+) back for each jQuery-created form, as well:

.append(jQuery('<input>', {
'name': 'YII_CSRF_TOKEN',
'value': LS.data.csrfToken,
'type': 'hidden'
}))

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=18377

Thanks for your help!

Version 2.50 Build 160407 released