In a case I worked on, FTP file upload was working fine while FTPS was failing with the error message below. It was failing for all IIS servers and all FTP clients.
550 supply message incomplete, signature was not verified
Sample FTP log:
2019-06-13 20:28:26 134.165.112.56 SERVER\user 134.45.232.24 21 STOR test.txt 550 2148074264 0 05edb0d4-756e-4509-8d5e-4f566cae5bfb /test.txt
The sample FTP log above shows 2148074264
as sc-win32-status
. This error code maps to SEC_E_INCOMPLETE_MESSAGE
which means “The supplied message is incomplete. The signature was not verified”.
There is a known issue in Windows Server 2008, 2008 R2, 2012, and 2012 R2 that causes this error while using FTPS because of a bug in TLS communication.
Here is the hot-fix page for this bug. The download link in this page is broken. However, you can try downloading it via this page or this one. Install the hot-fix and restart the server.
If you receive “This update is not applicable” error while trying to install the hot-fix:
Expand –F:* <path of downloaded KB> <Destination folder where you need to extract>
DISM.exe /Online /Add-Package /PackagePath:<path of the extracted file (select.cab file)>
Make sure to apply the correct update for your server’s operating system. If you are still seeing “550 supply message incomplete” error, try the following steps.
Connect to FTP server via IP
If you are using a hostname (ftp.domain.com etc.) for FTP connections, perform the following instructions:
C:\Windows\System32\drivers\etc\hosts
)ipconfig /flushdns
Try using SFTP instead of FTPS
FTPS uses two channels: Command Channel and Data Channel. Some firewalls and routers allow Data Channel communication only after reading the Command Channel data. If they can’t decrypt the Command Channel data when FTPS is used, they may block Data Channel communication.
SFTP uses only one channel for both commands and data. Therefore, this issue may not occur if you use SFTP. If it still occurs, continue with next section below.
A screenshot that shows protocols in an FTP client
Try disabling TLS 1.2 in IIS server
It is not recommended to disable TLS 1.2 but this test would help you to narrow down the issue. Please do not disable TLS in your production servers.
In order to disable TLS 1.2 for testing purposes:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
DisabledByDefault =1
Enabled = 0
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.