This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.
In a case I worked on, FTP file upload was working fine while FTPS was failing with the error message below. It was failing for all IIS servers and all FTP clients.
550 supply message incomplete, signature was not verified
Sample FTP log:
Root Cause
The sample FTP log above shows 2148074264
as sc-win32-status
. This error code maps to SEC_E_INCOMPLETE_MESSAGE
which means “The supplied message is incomplete. The signature was not verified”.
There is a known issue in Windows Server 2008, 2008 R2, 2012, and 2012 R2 that causes this error while using FTPS because of a bug in TLS communication.
Solution
Here is the hot-fix page for this bug. The download link in this page is broken. However, you can try downloading it via this page instead. Install the hot-fix and restart the server.
If you receive “This update is not applicable” error while trying to install the hot-fix:
- Extract the KB (MSU file) using this command:
Expand –F:*
- Run the command below to install the patch:
DISM.exe /Online /Add-Package /PackagePath:
It didn’t work?
Make sure to apply the correct update for your server’s operating system. If you are still seeing “550 supply message incomplete” error, try the following steps.
Connect to FTP server via IP
If you are using a hostname (ftp.domain.com etc.) for FTP connections, perform the following instructions:
- In the client machine, open Hosts file (
C:\Windows\System32\drivers\etc\hosts
) - Enter the line below and save it (Enter IIS server’s IP address instead of 192.168.1.100)
- 192.168.1.100 ftp.domain.com
- Run
ipconfig /flushdns
- Try to connect FTP server again. If it works, it means there is a firewall blocking the FTPS port between client and server. If it doesn’t work, continue with the next section.
Try using SFTP instead of FTPS
FTPS uses two channels: Command Channel and Data Channel. Some firewalls and routers allow Data Channel communication only after reading the Command Channel data. If they can’t decrypt the Command Channel data when FTPS is used, they may block Data Channel communication.
SFTP uses only one channel for both commands and data. Therefore, this issue may not occur if you use SFTP. If it still occurs, continue with next section below.
A screenshot that shows protocols in an FTP client
Try disabling TLS 1.2 in IIS server
It is not recommended to disable TLS 1.2 but this test would help you to narrow down the issue. Please do not disable TLS in your production servers.
In order to disable TLS 1.2 for testing purposes:
- Go to Registry Editor
- Go this path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
- Add these two D-Words:
DisabledByDefault =1
Enabled = 0
- Restart the server