SungHoon_Kim

Failed to retrieve directory listing - Windows FTP Server

Blog Post created by SungHoon_Kim Employee on Feb 26, 2018

I have an interesting issue and wanted to share some insight to what I have learned.

 

On Windows, you can install FTP Server on top of IIS.

The convenience is with the credential management as the AD users would be able to use their credentials to login and get appropriate privileges.

 

The challenge was, when trying to access the Windows FTP Server via PAM.

The expectation was, the FTP Client would go via PAM Server and no direct connection to the FTP Server.

And that the user would be able to auto-login.

 

The result was not what I expected.

The FTP Client was failing to get the directory listing of the FTP Server.

 

So I went to take a look at the FTP server logs and found the following.

FTP log
2018-01-24 05:41:22 192.168.0.200 59686 - - WWW - 192.168.0.51 21 ControlChannelOpened - - 0 0 0 0 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - -
2018-01-24 05:41:23 192.168.0.200 59686 - FTPSVC2 WWW - 192.168.0.51 21 USER administrator 331 0 0 23 20 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - -
2018-01-24 05:41:23 192.168.0.200 59686 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 21 PASS *** 230 0 0 87 18 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 / -
2018-01-24 05:41:23 192.168.0.200 59686 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 21 SYST - 215 0 0 16 6 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - -
2018-01-24 05:41:23 192.168.0.200 59686 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 21 FEAT - 211 0 0 149 6 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - -
2018-01-24 05:41:23 192.168.0.200 59686 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 21 OPTS UTF8+ON 200 0 0 58 14 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - -
2018-01-24 05:41:23 192.168.0.200 59686 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 21 PWD - 257 0 0 31 5 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - -
2018-01-24 05:41:23 192.168.0.200 59686 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 21 TYPE A 200 0 0 20 8 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - -
2018-01-24 05:41:23 192.168.0.200 59686 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 21 PASV - 227 0 0 50 6 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - -
2018-01-24 05:41:23 192.168.0.128 55606 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 55838 DataChannelOpened - - 0 0 0 0 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - -
2018-01-24 05:41:23 192.168.0.128 55606 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 55838 DataChannelClosed - - 1236 38 0 0 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - Client+IP+on+the+control+channel+didn't+match+the+client+IP+on+the+data+channel.
2018-01-24 05:41:23 192.168.0.200 59686 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 21 LIST -a 425 1236 38 75 9 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 / Client+IP+on+the+control+channel+didn't+match+the+client+IP+on+the+data+channel.
2018-01-24 05:41:23 192.168.0.200 59686 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 21 TYPE A 200 0 0 20 8 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - -
2018-01-24 05:41:23 192.168.0.200 59686 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 21 PASV - 227 0 0 50 6 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - -
2018-01-24 05:41:23 192.168.0.128 55607 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 55839 DataChannelOpened - - 0 0 0 0 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - -
2018-01-24 05:41:23 192.168.0.128 55607 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 55839 DataChannelClosed - - 1236 38 0 0 0 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - Client+IP+on+the+control+channel+didn't+match+the+client+IP+on+the+data+channel.
2018-01-24 05:41:23 192.168.0.200 59686 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 21 LIST - 425 1236 38 75 6 16 0e45aee5-210d-46af-8e97-a50c2bc9aac6 / Client+IP+on+the+control+channel+didn't+match+the+client+IP+on+the+data+channel.
2018-01-24 05:41:39 192.168.0.200 59686 WWW\Administrator FTPSVC2 WWW - 192.168.0.51 21 ControlChannelClosed - - 0 0 681 112 16750 0e45aee5-210d-46af-8e97-a50c2bc9aac6 - -

 

The ControlChannel Client IP Address is "192.168.0.200" which is my PAM Server.

The DataChannel Client IP Address is "192.168.0.128" which is the PAM Client.

 

 

What is happening is that the initial ControlChannel is established via PAM Server because the FTP Client is told to connect to a server which is 127.0.0.1:21 and that tunnel would goto PAM Server.

So it is clear that the ControlChannel would have PAM Server IP Address as "Client IP".

 

Once the FTP Client has established the ControlChannel and Authenticated the user, it then establishes the DataChannel to FTP Server.

The difference this time is that, FTP Client would now connect directly with the FTP Server.

 

The error "Failed to retrieve directory listing" is caused by the FTP Server rejecting the DataChannel connection because the Client IP Address did not match with ControlChannel.

 

==================

 

So I was looking for a workaround and found that, if I use FileZilla FTP Server I can get past this error.

How the FTP Server and FTP Client behaved is exactly the same but there was a switch in the FileZilla FTP Server to ignore this specific error case.

 

 

You can either select "Relaxed IP match" (which I think is set by default) or simply "Disable IP check" altogether.

Then you will not be getting "Failed to retrieve directory listing".

 

You will need to be reminded that, if you use FileZilla FTP Server

1) you cannot make use of AD credentials and 

2) FTP Client is still connecting directly to the FTP server.

 

Then how can I force the FTP Client to go via PAM Server and also avoid this error?

(Well, if both ControlChannel and DataChannel are going via PAM Server then you would not encounter the error in the first place)

 

There is a predefined TCP Server that comes out of the box.

It is called "sftpftpemb"

 

Note that the port specified is 22 and not 21.

And you cannot configure the "Client Application".

 

The reason for this is, it is hardcoded to use WinSCP as the Client Application.

And it is using port 22, which forces the WinSCP to treat this as if it is SFTP (SFTP and FTPS are 2 completely different things) and all communications go to the 127.0.0.200:22.

 

If you create a same service and specify FileZilla FTP Client instead, you will find the FileZilla actually complains about the protocol and fails to connect to the server.

filezilla.log
2018-02-25 19:11:17 4900 1 Error: Cannot establish FTP connection to an SFTP server. Please select proper protocol.
2018-02-25 19:11:17 4900 1 Error: Critical error: Could not connect to server

 

So, this "sftpftpemb" service is specially crafted and tested using WinSCP to allow connecting to FTP server via PAM.

 

To provide some more insight, when you launch the link to sftpftpemb service, it actually extracts "WinSCP" to the %USERPROFILE% folder.

 

For example, if your %USERPROFILE% folder is "C:\Users\user1", then the WinSCP files will be extracted under "C:\Users\user1\WinSCP" folder.

 

 

So you do not need to install WinSCP software if you are using sftpftpemb service.

 

Outcomes