Can't connect to Windows Server 2012 (IIS 8) FTP when using

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
gbaotic
504 Command not implemented
Posts: 10
Joined: 2012-12-04 11:30
First name: Goran
Last name: Baotic

Can't connect to Windows Server 2012 (IIS 8) FTP when using

#1 Post by gbaotic » 2012-12-04 11:34

Using FileZilla, I cannot connect to any of my Windows Server 2012 machines when using FTPES on IIS 8.
FileZilla 3.6.0.2 debug level 4 log:

Code: Select all

Trace:	CControlSocket::DoClose(64)
Trace:	CControlSocket::DoClose(64)
Status:	Resolving address of mysite.example.com
Status:	Connecting to 1.1.1.1:21...
Status:	Connection established, waiting for welcome message...
Trace:	CFtpControlSocket::OnReceive()
Response:	220-Microsoft FTP Service
Trace:	CFtpControlSocket::OnReceive()
Response:	220 MyFtpService
Trace:	CFtpControlSocket::SendNextCommand()
Command:	AUTH TLS
Trace:	CFtpControlSocket::OnReceive()
Response:	234 AUTH command ok. Expecting TLS Negotiation.
Status:	Initializing TLS...
Trace:	CTlsSocket::Handshake()
Trace:	CTlsSocket::ContinueHandshake()
Trace:	CTlsSocket::OnSend()
Trace:	CTlsSocket::OnRead()
Trace:	CTlsSocket::ContinueHandshake()
Trace:	CTlsSocket::OnRead()
Trace:	CTlsSocket::ContinueHandshake()
Trace:	CTlsSocket::Failure(-110, 10053)
Error:	GnuTLS error -110: The TLS connection was non-properly terminated.
Trace:	CTlsSocket::OnSocketEvent(): close event received
Trace:	CRealControlSocket::OnClose(10053)
Trace:	CControlSocket::DoClose(64)
Trace:	CFtpControlSocket::ResetOperation(66)
Trace:	CControlSocket::ResetOperation(66)
Error:	Could not connect to server
Trace:	CFileZillaEnginePrivate::ResetOperation(66)
I have already tried reordering cipher suites as desribed here, but it didn't help:
http://blogs.msdn.com/b/kaushal/archive ... l-tls.aspx
Changing certificates on the FTP site doesn't help as well. I think the error happens before certificate is received.
WS_FTP and some other FTP clients work fine, while WinSCP makes a connection but throws errors on file transfer (something about invalid signature). It did help with file transfers when I prioritized TLS_RSA_WITH_RC4_128_SHA on the server SSL Cipher Suite Order.
It is worth noting that a version of FileZilla from a few weeks ago (I don't know which one exactly) connected fine, but was not able to transfer files (also a lot of errors), exactly what WinSCP does now.
Connecting to my Windows Server 2008 R2 (IIS 7.5) machines works perfectly. FTP sites are configured the same way as they are in the IIS 8 installation.

User avatar
botg
Site Admin
Posts: 32378
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#2 Post by botg » 2012-12-04 18:55

FTP isn't vulnerable against the BEAST attack. Leaving out ciphers using CBC frequently results in compatibility problems.

Unfortunately in this case the connection is just closed, there's not even a TLS alert being sent by the server indicating the problem. Check your server logs, there must be an explanation written somewhere.

Ferroto
504 Command not implemented
Posts: 8
Joined: 2012-12-12 01:12

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#3 Post by Ferroto » 2012-12-12 01:33

I can confirm the behavior OP described. There seems to be no way to get FileZilla to connect to an IIS 8 ftp with SSL. Another resource I found on the topic was here but their only fix is to use coreFTP instead of FileZilla :(

Personally I like the FileZilla server better than the IIS ftp and currently I have only one Windows Server with IIS 8 where it's no problem to use the FileZilla ftp server.

However as soon as it comes to servers with lots of users which not only use ftp but also other (windows) services the advantage of one user management interface becomes most important and the FileZilla ftp server is no longer an option. So for the future it would be very nice if the FileZilla client again becomes compatible to IIS.

Regarding the server side log: It had nearly no useful information (also I had the IIS log level set to debug). Only one or two lines per connection attempt which didn't indicate an error or even error code or something. Unfortunately currently I have no access to the server in question but if I don't forget it I will post the log later - maybe anyone else can find something interesting in it.

Ferroto
504 Command not implemented
Posts: 8
Joined: 2012-12-12 01:12

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#4 Post by Ferroto » 2012-12-12 13:16

As promiesed the server log (this was even from a local try to be sure there is no Router/Firewall which could interfere):

Code: Select all

#Software: Microsoft Internet Information Services 8.0
#Version: 1.0
#Date: 2012-12-11 23:19:43
#Fields: date time c-ip c-port cs-username cs-host s-ip s-port cs-method cs-uri-stem sc-status sc-win32-status sc-substatus time-taken x-session x-fullpath x-debug
2012-12-11 23:19:43 10.0.2.10 49910 - - 10.0.2.10 21 ControlChannelOpened - - 0 0 0 c7ed8656-8462-4c5c-828b-03946100b73b - -
2012-12-11 23:19:43 10.0.2.10 49910 - - 10.0.2.10 21 AUTH TLS 234 0 0 0 c7ed8656-8462-4c5c-828b-03946100b73b - -
2012-12-11 23:19:43 10.0.2.10 49910 - - 10.0.2.10 21 ControlChannelClosed - - 2148074289 0 32 
The client log looked nearly exactly the same as posted by OP only I had no debug infos displayed.

User avatar
botg
Site Admin
Posts: 32378
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#5 Post by botg » 2012-12-12 20:53

Unfortunately completely void of new information.

Does it work if using any different FTP over TLS server?

Ferroto
504 Command not implemented
Posts: 8
Joined: 2012-12-12 01:12

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#6 Post by Ferroto » 2012-12-13 12:40

botg wrote: Does it work if using any different FTP over TLS server?
Sure, on the server in question I've currently a FileZilla Server with the exact same certificate running which works great. But as I said, that's only an option as long as you don't have to manage lots of users or even an AD. I'd also assume that it would work with IIS 7.5 as OP had no problems with that and I also never encountered any issues with it.

If I can do anything to provide more useful information let me know it. Maybe there is some way to get more information from the IIS 8? I could also send you a package dump of a wireshark capture if that could help...

User avatar
botg
Site Admin
Posts: 32378
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#7 Post by botg » 2012-12-13 19:57

Unfortunately I can't help you any further with IIS, I'm not familiar with that server. Try contacting Microsoft support.

Ferroto
504 Command not implemented
Posts: 8
Joined: 2012-12-12 01:12

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#8 Post by Ferroto » 2012-12-13 21:11

botg wrote:Try contacting Microsoft support.
I hope that was sarcasm :P

In any case I will not waste my time there. And should the day come were I really need to set up an IIS 8 productive ftp than so be it and it has to work without FileZilla Client support.

User avatar
botg
Site Admin
Posts: 32378
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#9 Post by botg » 2012-12-13 22:15

I'm serious. There's a particular problem with a server which does not print enough diagnostic information to further analyze this problem. Thus, only the server vendor can help to analyze this further. In other words, Microsoft support is needed here.

Ferroto
504 Command not implemented
Posts: 8
Joined: 2012-12-12 01:12

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#10 Post by Ferroto » 2012-12-13 23:53

Well in the past when I thought I need MS support for anything server related it took ages and was not satisfying at all.

However, I wanted to do a last check with Wireshark and look at the packages. Thereby I ended up on Linux were I have an older FileZilla Client installed. And well it just worked - with the same IIS 8 ftp still with the same SSL certificate on the same server.

So I went back to windows and worked myself up through the FileZilla Client version history starting from the one I had on Linux.
FileZilla_3.6.0-beta1 is the last one that works with IIS, FileZilla_3.6.0-rc1 is the first one with the above described problematic behavior.

Knowing that I wouldn't say for sure that it is an IIS 8 problem but maybe a problem with all IIS in general and the new versions of FileZilla Client. And knowing that maybe you still could look again what was changed between these version and 'fix' it somehow ;-)

User avatar
boco
Contributor
Posts: 24685
Joined: 2006-05-01 03:28
Location: Germany

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#11 Post by boco » 2012-12-14 00:34

### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

gbaotic
504 Command not implemented
Posts: 10
Joined: 2012-12-04 11:30
First name: Goran
Last name: Baotic

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#12 Post by gbaotic » 2012-12-16 19:31

Ferroto wrote:So I went back to windows and worked myself up through the FileZilla Client version history starting from the one I had on Linux.
FileZilla_3.6.0-beta1 is the last one that works with IIS, FileZilla_3.6.0-rc1 is the first one with the above described problematic behavior.
It's great you found that out. I have just downgraded FileZilla to 3.5.3 and it seems that everything works just fine.
This error might have something to do with Revision 4815 (sorting ciphers).

dmanno
500 Command not understood
Posts: 1
Joined: 2013-01-11 23:13
Location: CA
Contact:

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#13 Post by dmanno » 2013-01-11 23:31

I was also receiving "GnuTLS error -110: The TLS connection was not-properly terminated" when trying to connect to my FTP site over SLL on IIS 8 on Windows Server 2012. Non-SSL FTP connections worked fine through FileZilla. When I downgraded FileZilla to 3.5.3, I was able to connect using SSL without any problems. I've been banging my head against the wall for a while now, trying to fix this. Thanks Ferroto!
devineloper

m.oe
500 Command not understood
Posts: 1
Joined: 2013-02-20 21:16

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#14 Post by m.oe » 2013-02-20 21:18

I can confirm this. Server is Server 2012 / IIS 8 with a self-signed certificate.

FileZilla 3.6.2 cannot connect with the error above.
FileZilla 3.5.3 connects fine.

@Developers: I can provide a test server if you need

rossh
550 File not found
Posts: 32
Joined: 2013-03-11 09:46
First name: Ross

Re: Can't connect to Windows Server 2012 (IIS 8) FTP when us

#15 Post by rossh » 2013-03-11 10:16

3.6.0.2: Same error here but with a 2008 R2 server...

On my server, I have activated both the TLS 1.1. and 1.2. those are normally disabled on the server. Its also set up for PCI compliance in the limited ciphers it uses. Specifically RC4 128/128, TripDES 168/168, AES 128/128, AES 256/256 only.

At the server end, it gives this error:

SChannel: The following fatal alert was generated: 40. The internal error state is 1205.

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

However, if I allow The default cipher set (everything, including nothing), then 3.6.0.2 does connect without error. But I can't allow the server to run this way, with all the poor quality ciphers active.

**********

I went back to 3.53. No problems. It works with the server set to both 1.1. 1.2 allowed, and limited PCI complaint ciphers.

**********

It would seem that 3.6.x is trying to connect using a non supported, or poor quality cipher.

Contact me if more testing is needed.

Post Reply