FTPS via IIS 7 Server 2008 Error 431

Question

I've created a certificate on my 2008 server and exported it locally. I run the example app FTPS (Part A), and I still cannot connect. The Certificate manager pops up and I import the certificate and then this happens:


DEBUG : waitOnShutdownSSL=True
DEBUG : Connecting directly to ftp-server XXX.XXX.XXX.XXX ( --->my server ip)
DEBUG : Setting socket timeout=30000
DEBUG : Set timeout=30000
DEBUG : Set timeout=30000
DEBUG : Command encoding=System.Text.ASCIIEncoding
DEBUG : Created control-socket: SocksContext=, ProxySettings=NoProxy, RemoteHost=199.82.9.33, controlPort=21, timeout=30000
DEBUG : StrictReturnCodes=False
DEBUG : 220-Microsoft FTP Service
DEBUG : Changing local working directory to C:\Documents and Settings\Jim\Local Settings\Application Data\Enterprise Distributed Technologies\edtFTPnet PRO\Temp
DEBUG : ---> AUTH TLS
DEBUG : 431 Failed to setup secure session.
INFO : Expected reply codes = [234,334,200] (strict=False)
DEBUG : Stopping FTP task processor.
DEBUG : FTP task processor stopped.
DEBUG : ---> QUIT
DEBUG : 221 Goodbye
DEBUG : Shutdown(Both)
ERROR : EnterpriseDT.Net.Ftp.FTPException: Failed to setup secure session. (code=431) : System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation.
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation.
at System.Reflection.RuntimeMethodInfo.InternalInvoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean isBinderDefault, Assembly caller, Boolean verifyAccess)
at System.Reflection.RuntimeMethodInfo.InternalInvoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean verifyAccess)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Reflection.MethodInfo.Invoke(Object obj, Object[] parameters)
at ExampleViewer.NonGuiExPage.RunExample()
CAUSED BY:
EnterpriseDT.Net.Ftp.FTPException: Failed to setup secure session. (code=431)
at EnterpriseDT.Net.Ftp.FTPControlSocket.ValidateReply(FTPReply reply, String[] expectedReplyCodes)
at EnterpriseDT.Net.Ftp.Ssl.SSLFTPClient.Auth(SSLFTPSSLVersion sslVersion, Boolean secureDataChannels)
at EnterpriseDT.Net.Ftp.SecureFTPConnection.SecureConnection()
at EnterpriseDT.Net.Ftp.SecureFTPConnection.Connect()
at FTPS2Example.Run(String serverAddress, Int32 serverPort, String userName, String password)
CAUSED BY:
EnterpriseDT.Net.Ftp.FTPException: Failed to setup secure session. (code=431)
at EnterpriseDT.Net.Ftp.FTPControlSocket.ValidateReply(FTPReply reply, String[] expectedReplyCodes)
at EnterpriseDT.Net.Ftp.Ssl.SSLFTPClient.Auth(SSLFTPSSLVersion sslVersion, Boolean secureDataChannels)
at EnterpriseDT.Net.Ftp.SecureFTPConnection.SecureConnection()
at EnterpriseDT.Net.Ftp.SecureFTPConnection.Connect()
at FTPS2Example.Run(String serverAddress, Int32 serverPort, String userName, String password)

What am I doing wrong????? THANKS!

Answer 1

I'm not sure if you are now talking about client certificates or not.

You can authenticate clients to the server via username/password, or you can opt to use client certificates (which are different to the server certificate). You need to decide how you are going to authenticate clients.

Just a general note - it is always safer to use a password with a private key, otherwise someone can simply copy it and use it.

Answer 2

So then my question is if I take a private key with a password included, how does that typically get distributed in mass? Say I've setup my FTPS server and now I want 1-x number of clients talking to that server. My guess is that I could do something in Installshield that would install my application along with the key file automatically? Would that work?

Answer 3

Firstly, consider whether you actually require client certificates, or whether username/password authentication is sufficient for you. Client certificates make it that bit harder to break into the server, as just trying user/password on the server is not enough - you actually need the client certificate and private key installed.

I'm assuming here that IIS actually supports client certificates for FTPS.

Do you want all your clients to use the same credentials? In that case you can just install the client certificate and private key as part of the install automatically as you suggest. If you want individual credentials that is a trickier problem.