FTPS via IIS 7 Server 2008 Error 431

Question

I've created a certificate on my 2008 server and exported it locally. I run the example app FTPS (Part A), and I still cannot connect. The Certificate manager pops up and I import the certificate and then this happens:


DEBUG : waitOnShutdownSSL=True
DEBUG : Connecting directly to ftp-server XXX.XXX.XXX.XXX ( --->my server ip)
DEBUG : Setting socket timeout=30000
DEBUG : Set timeout=30000
DEBUG : Set timeout=30000
DEBUG : Command encoding=System.Text.ASCIIEncoding
DEBUG : Created control-socket: SocksContext=, ProxySettings=NoProxy, RemoteHost=199.82.9.33, controlPort=21, timeout=30000
DEBUG : StrictReturnCodes=False
DEBUG : 220-Microsoft FTP Service
DEBUG : Changing local working directory to C:\Documents and Settings\Jim\Local Settings\Application Data\Enterprise Distributed Technologies\edtFTPnet PRO\Temp
DEBUG : ---> AUTH TLS
DEBUG : 431 Failed to setup secure session.
INFO : Expected reply codes = [234,334,200] (strict=False)
DEBUG : Stopping FTP task processor.
DEBUG : FTP task processor stopped.
DEBUG : ---> QUIT
DEBUG : 221 Goodbye
DEBUG : Shutdown(Both)
ERROR : EnterpriseDT.Net.Ftp.FTPException: Failed to setup secure session. (code=431) : System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation.
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation.
at System.Reflection.RuntimeMethodInfo.InternalInvoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean isBinderDefault, Assembly caller, Boolean verifyAccess)
at System.Reflection.RuntimeMethodInfo.InternalInvoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean verifyAccess)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Reflection.MethodInfo.Invoke(Object obj, Object[] parameters)
at ExampleViewer.NonGuiExPage.RunExample()
CAUSED BY:
EnterpriseDT.Net.Ftp.FTPException: Failed to setup secure session. (code=431)
at EnterpriseDT.Net.Ftp.FTPControlSocket.ValidateReply(FTPReply reply, String[] expectedReplyCodes)
at EnterpriseDT.Net.Ftp.Ssl.SSLFTPClient.Auth(SSLFTPSSLVersion sslVersion, Boolean secureDataChannels)
at EnterpriseDT.Net.Ftp.SecureFTPConnection.SecureConnection()
at EnterpriseDT.Net.Ftp.SecureFTPConnection.Connect()
at FTPS2Example.Run(String serverAddress, Int32 serverPort, String userName, String password)
CAUSED BY:
EnterpriseDT.Net.Ftp.FTPException: Failed to setup secure session. (code=431)
at EnterpriseDT.Net.Ftp.FTPControlSocket.ValidateReply(FTPReply reply, String[] expectedReplyCodes)
at EnterpriseDT.Net.Ftp.Ssl.SSLFTPClient.Auth(SSLFTPSSLVersion sslVersion, Boolean secureDataChannels)
at EnterpriseDT.Net.Ftp.SecureFTPConnection.SecureConnection()
at EnterpriseDT.Net.Ftp.SecureFTPConnection.Connect()
at FTPS2Example.Run(String serverAddress, Int32 serverPort, String userName, String password)

What am I doing wrong????? THANKS!

Answer 1

It isn't clear from the log file.

Set up extended logging, by using

java -Dedtftp.log.puretls.level=65535

and email the log file to support at enterprisedt dot com

Answer 2

I'm going to put the sample code into a console Visual Studio C# app. How do I get this debugging log info from within the application code? I'm not a java programmer.

thanks

Answer 3

Oops. Wrong product. You need to set up logging at the All level. You don't need a console app.

using EnterpriseDT.Util.Debug;

Logger.CurrentLevel = Level.ALL;
Logger.AddAppender(new FileAppender("mylog.txt"));

Answer 4

Thanks Bruce, here's what I got, let me know if it's something easy to fix:

DEBUG [ExFTPControlSocket] 11 May 2008 18:08:26.500 : Created control-socket: SocksContext=, ProxySettings=NoProxy, RemoteHost=(IP removed by me), controlPort=21, timeout=120000
DEBUG [FTPControlSocket] 11 May 2008 18:08:26.500 : StrictReturnCodes=False
DEBUG [FTPControlSocket] 11 May 2008 18:08:29.781 : 220-Microsoft FTP Service
DEBUG [SecureFTPConnection] 11 May 2008 18:08:29.796 : Changing local working directory to C:\src\SampleFTPForm\SampleFTPForm\SampleFTPForm\bin\Debug
DEBUG [FTPControlSocket] 11 May 2008 18:08:29.796 : ---> AUTH TLS
DEBUG [FTPControlSocket] 11 May 2008 18:08:30.093 : 431 Failed to setup secure session.
INFO [FTPControlSocket] 11 May 2008 18:08:30.093 : Expected reply codes = [234,334,200] (strict=False)
DEBUG [AsyncProcessor] 11 May 2008 18:08:30.109 : Stopping FTP task processor.
DEBUG [AsyncProcessor] 11 May 2008 18:08:30.109 : FTP task processor stopped.
DEBUG [FTPControlSocket] 11 May 2008 18:08:30.109 : ---> QUIT
DEBUG [FTPControlSocket] 11 May 2008 18:08:30.421 : 221 Goodbye
DEBUG [SecureSocket] 11 May 2008 18:08:30.421 : Shutdown(Both)


Jim

Answer 5

Unfortunately this doesn't tell us a great deal.

If you have access to the logs of IIS, this should tell you why the attempt to set up a secure connection is failing.

You should also try the previous example to see if it works without server validation. If this works, then the problem may be that the wrong server certificate has been imported on your client. You need to import the same certificate that your FTP server is using to identify itself.

If you are sure you have imported the right server certificate, it is possible that client validation is required - that you need to set up a client certificate. But try the above before we go there ...

Answer 6

Yes the previous examples work fine without server validation

here's what I see in the IIS log file:

2008-05-12 16:12:16 19x.xx.x.xxx - 19x.xx.x.xx 21 ControlChannelOpened - - 0 0 ba7a7562-14e8-441a-856a-89764e32d499 -
2008-05-12 16:12:16 19x.xx.x.xxx - 19x.xx.x.xx 21 AUTH TLS 431 2148081668 44 ba7a7562-14e8-441a-856a-89764e32d499 -
2008-05-12 16:12:16 19x.xx.x.xxx - 19x.xx.x.xx 21 QUIT - 221 0 0 ba7a7562-14e8-441a-856a-89764e32d499 -
2008-05-12 16:12:16 19x.xx.x.xxx - 19x.xx.x.xx 21 ControlChannelClosed - - 0 0 ba7a7562-14e8-441a-856a-89764e32d499 -
2008-05-12 16:16:12 19x.xx.x.xxx - 19x.xx.x.xx 21 ControlChannelOpened - - 0 0 71591cf6-d790-46d4-9b62-1acd14dbb370 -
2008-05-12 16:16:12 19x.xx.x.xxx - 19x.xx.x.xx 21 AUTH TLS 431 2148081668 44 71591cf6-d790-46d4-9b62-1acd14dbb370 -
2008-05-12 16:16:12 19x.xx.x.xxx - 19x.xx.x.xx 21 QUIT - 221 0 0 71591cf6-d790-46d4-9b62-1acd14dbb370 -
2008-05-12 16:16:12 19x.xx.x.xxx - 19x.xx.x.xx 21 ControlChannelClosed - - 0 0 71591cf6-d790-46d4-9b62-1acd14dbb370 -

I also tried your suggestion to do client validation and got this additonal message saying certificate not found:

2008-05-12 17:20:01 19x.xx.x.xxx 3572 - FTPSVC2 SDC-SERVER2008 - 19x.xx.x.xxx 21 ControlChannelOpened - - 0 0 0 0 0 0820e6fe-1a74-4d9b-bb65-10de62d390a5 - -
2008-05-12 17:20:01 19x.xx.x.xxx 3572 - FTPSVC2 SDC-SERVER2008 - 19x.xx.x.xxx AUTH TLS 431 2148081668 44 -16 10 0 0820e6fe-1a74-4d9b-bb65-10de62d390a5 - SSL+certificate+was+not+found.
2008-05-12 17:20:01 19x.xx.x.xxx 3572 - FTPSVC2 SDC-SERVER2008 - 19x.xx.x.xxx 21 QUIT - 221 0 0 13 6 0 0820e6fe-1a74-4d9b-bb65-10de62d390a5 - -
2008-05-12 17:20:01 19x.xx.x.xxx 3572 - FTPSVC2 SDC-SERVER2008 - 19x.xx.x.xxx 21 ControlChannelClosed - - 0 0 50 6 0 0820e6fe-1a74-4d9b-bb65-10de62d390a5 - -

I created the certificate on the client as your documentation states in "Private Key Access Problems" using makecert.. Then I went into IE on the client and exported the certificate as Cryptographic Message Syntax Standard PKCS#7. I then imported that certificate on the 2008 Server and still getting the same error above. On the example app I get the 431 error just like without client authentication.

Answer 7

Ok, if it works without server validation, let's try to get it working with server validation. The only problem should be the server certificate in this case.

You need to ensure that on the client machine, the server's certificate is imported (as per the users guide).

It may be the case that the one you are creating in IIS and then importing into the client isn't the one actually being used by IIS for FTPS.

Answer 8

Wow this is really tricky. I found out that there is a place in IIS where you tell it what certificate to use for ftp. Now I'm getting close.
I initially created the server cert. by using "Create self-signed certificate'
I exported that certificate (using export in the IIS GUI) and with Example Server validation PART A, imported that certificate, I'm getting this error:

DEBUG : ---> AUTH TLS
DEBUG : 234 AUTH command ok. Expecting TLS Negotiation.
DEBUG : Beginning Tls1 handshake.
DEBUG : Processing hello
ERROR : OnReceive - caught exception - closing : e8: The certificate could not be verified: j - The certificate's Common Name (SDC-Server2008) does not match the configured value (1xx.xx.xx.x).
e8: The certificate could not be verified: j - The certificate's Common Name (SDC-Server2008) does not match the configured value (1xx.xx.xx.x).
at d0.a(af A_0, Boolean A_1)
at d0.a(dz A_0, Boolean A_1)
at cy.a(dz A_0)
at d0.b(gb A_0)
at fo.a(Byte[] A_0, Int32 A_1, Int32 A_2)
at a1.b(Byte[] A_0, Int32 A_1, Int32 A_2)
at a1.c(Byte[] A_0, Int32 A_1, Int32 A_2)
at z.h(IAsyncResult A_0)
DEBUG : CloseConnection(e=The certificate could not be verified: j - The certificate's Common Name (SDC-Server2008) does not match the configured value (1xx.xx.xx.x).)
DEBUG : Shut down socket
DEBUG : Closed socket
DEBUG : Close() called when open
DEBUG : OnHandshakeComplete(False,The certificate could not be verified: j - The certificate's Common Name (SDC-Server2008) does not match the configured value (1xx.xx.xx.x).)
ERROR : Exception during handshake: The certificate could not be verified: j - The certificate's Common Name (SDC-Server2008) does not match the configured value (1xx.xx.xx.x).
ERROR : EnterpriseDT.Net.Ftp.Ssl.SSLFTPException: The certificate could not be verified: j - The certificate's Common Name (SDC-Server2008) does not match the configured value (1xx.xx.xx.x). : System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation.
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation.
at System.Reflection.RuntimeMethodInfo.InternalInvoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean isBinderDefault, Assembly caller, Boolean verifyAccess)
at System.Reflection.RuntimeMethodInfo.InternalInvoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean verifyAccess)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Reflection.MethodInfo.Invoke(Object obj, Object[] parameters)
at ExampleViewer.NonGuiExPage.RunExample()

from the IIS log:
AUTH TLS 234 0 0 -4 10 0 8083c762-defe-4aaf-9c9e-2113d5db09a0 - -
ControlChannelClosed - - 0 0 882 58 47 8083c762-defe-4aaf-9c9e-2113d5db09a0 - -

I must not be creating the exported certificate right? I've tried different combinations of exporting via the IIS GUI but nothing is working. I was able to get the error about certificate not within validity period by putting the server's date in the future but this error is stumping me. What does "does not match the configured value" mean?

Thanks,
Jim

Answer 9

Ah, looks like you are getting closer.

Typically, a field known as the 'common name' (or CN) in the certificate is set to the server's hostname. The client checks that the hostname matches the CN, and throws an error if it does not.

Since yours don't match, you can explicitly set the CN:

SecureFTPConnection ftp;
......
ftp.ServerCommonName = "SDC-Server2008";

This should allow things to proceed.

Answer 10

Thanks!! that worked. now on to the fun parts.

I have a quick question on exporting the key from the server. When the option for exporting the private key appears, it asks for Yes, No to include the password. What are the benefits/drawbacks on doing this with or without the password? I'm assuming that when I add the private key, whenever a new client gets setup I need to install the certificate in some sort of installshield script? Once the certificate gets added to the client PC is that all I need to do? or does my application somehow need to store this password in the registry to provide it every time I FTP to this server? I'm trying to plan ahead and automate setting up my clients and wondered how this is done..

Jim