550 supply message incomplete error (FTPS file upload)

This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.

In a case I worked on, FTP file upload was working fine while FTPS was failing with the error message below. It was failing for all IIS servers and all FTP clients.

 

550 supply message incomplete, signature was not verified

 

Sample FTP log:

 

2019-06-13 20:28:26 134.165.112.56 SERVER\user 134.45.232.24 21 STOR test.txt 550 2148074264 0 05edb0d4-756e-4509-8d5e-4f566cae5bfb /test.txt

 

 

Root Cause

The sample FTP log above shows 2148074264 as sc-win32-status. This error code maps to SEC_E_INCOMPLETE_MESSAGE which means “The supplied message is incomplete. The signature was not verified”.

 

There is a known issue in Windows Server 2008, 2008 R2, 2012, and 2012 R2 that causes this error while using FTPS because of a bug in TLS communication.

 

Solution

Here is the hot-fix page for this bug. The download link in this page is broken. However, you can try downloading it via this page instead. Install the hot-fix and restart the server.

 

If you receive “This update is not applicable” error while trying to install the hot-fix:

  • Extract the KB (MSU file) using this command:
    Expand –F:*
  • Run the command below to install the patch:
    DISM.exe /Online /Add-Package /PackagePath:

 

It didn’t work?

Make sure to apply the correct update for your server’s operating system. If you are still seeing “550 supply message incomplete” error, try the following steps.

 

Connect to FTP server via IP

If you are using a hostname (ftp.domain.com etc.) for FTP connections, perform the following instructions:

  1. In the client machine, open Hosts file (C:\Windows\System32\drivers\etc\hosts)
  2. Enter the line below and save it (Enter IIS server’s IP address instead of 192.168.1.100)
  3. 192.168.1.100 ftp.domain.com
  4. Run ipconfig /flushdns
  5. Try to connect FTP server again. If it works, it means there is a firewall blocking the FTPS port between client and server. If it doesn’t work, continue with the next section.

 

Try using SFTP instead of FTPS

FTPS uses two channels: Command Channel and Data Channel. Some firewalls and routers allow Data Channel communication only after reading the Command Channel data. If they can’t decrypt the Command Channel data when FTPS is used, they may block Data Channel communication.

 

SFTP uses only one channel for both commands and data. Therefore, this issue may not occur if you use SFTP. If it still occurs, continue with next section below.

 

2.png

A screenshot that shows protocols in an FTP client

 

Try disabling TLS 1.2 in IIS server

It is not recommended to disable TLS 1.2 but this test would help you to narrow down the issue. Please do not disable TLS in your production servers.

In order to disable TLS 1.2 for testing purposes:

  1. Go to Registry Editor
  2. Go this path:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
  3. Add these two D-Words:
    DisabledByDefault =1
    Enabled = 0
  4. Restart the server

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.