I've been trying to get a custom HTTP health check monitor working using NTLM authentication. Test from cli works fine but from the LTM monitor it isn't and is locking the active directory account. I've copied the password from the curl command below several times and pasted it into the password field on the monitor to ensure the creds match, that said I've listed the monitor settings below clearly showing the password. If anyone has experienced a similar issue and found a workaround for this your help would be most welcomed. The LTM version is BIG-IP 11.2.1 1217.0 Below shows parameters are working from cli but not from monitor. [test@LBtest:Active:Standalone] config curl -v --ntlm -u 'F5testaccount@test.com:$F5testaccount&123' -H 'Host: server1.test.com' http://10.1.1.11/_layouts/Healthcheck/Healthcheck.aspx * About to connect() to 10.1.1.11 port 80 (0) * Trying 10.1.1.11... connected * Connected to 10.1.1.11 (10.1.1.11) port 80 (0) * Server auth using NTLM with user 'F5testaccount@test.com' GET /_layouts/Healthcheck/Healthcheck.aspx HTTP/1.1 Authorization: NTLM TlR User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5 Accept: / Host: server1.test.com < HTTP/1.1 401 Unauthorized < Server: Microsoft-IIS/7.5 < SPRequestGuid: 0c257 < WWW-Authenticate: NTLM TlR= < WWW-Authenticate: Negotiate < X-Powered-By: ASP.NET < MicrosoftSharePointTeamServices: 14.0.0.6126 < X-MS-InvokeApp: 1; RequireReadOnly < Date: Fri, 24 Jan 2014 21:28:38 GMT < Content-Length: 0 < * Connection 0 to host 10.1.1.11 left intact * Issue another request to this URL: 'http://10.1.1.11/_layouts/Healthcheck/Healthcheck.aspx' * Re-using existing connection! (0) with host 10.1.1.11 * Connected to 10.1.1.11 (10.1.1.11) port 80 (0) * Server auth using NTLM with user 'F5testaccount@test.com' GET /_layouts/Healthcheck/Healthcheck.aspx HTTP/1.1 Authorization: NTLM TlR= User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5 Accept: / Host: server1.test.com < HTTP/1.1 200 OK !!!!ommitted for brevity status: pass * Connection 0 to host 10.1.1.11 left intact * Closing connection 0 Monitor health checks Not Working and is locking the active directory account. LTM Monitor config: ltm monitor http HC_test.com { defaults-from /Common/http destination : interval 5 partition Network_Test password $F5testaccount&123 recv pass send "GET /_layouts/Healthcheck/Healthcheck.aspx HTTP/1.1\r\nHost: server1.test.com" time-until-up 0 timeout 16 username test\F5testaccount }

Hi, try removing the DOMAIN\ from your username. For example: F5testaccount rather than test\F5testaccount Mike

Oxenburger_1420

Nimbostratus

Jan 24, 2014

Custom HTTP health monitor failing when using NTLM authentication

I've been trying to get a custom HTTP health check monitor working using NTLM authentication.

Test from cli works fine but from the LTM monitor it isn't and is locking the active directory account.

I've copied the password from the curl command below several times and pasted it into the password field on the monitor to ensure the creds match, that said I've listed the monitor settings below clearly showing the password.

If anyone has experienced a similar issue and found a workaround for this your help would be most welcomed.

The LTM version is BIG-IP 11.2.1 1217.0

Below shows parameters are working from cli but not from monitor.

[test@LBtest:Active:Standalone] config curl -v --ntlm -u 'F5testaccount@test.com:$F5testaccount&123' -H 'Host: server1.test.com' http://10.1.1.11/_layouts/Healthcheck/Healthcheck.aspx * About to connect() to 10.1.1.11 port 80 (0) * Trying 10.1.1.11... connected * Connected to 10.1.1.11 (10.1.1.11) port 80 (0) * Server auth using NTLM with user 'F5testaccount@test.com'

GET /_layouts/Healthcheck/Healthcheck.aspx HTTP/1.1 Authorization: NTLM TlR User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5 Accept: / Host: server1.test.com

< HTTP/1.1 401 Unauthorized < Server: Microsoft-IIS/7.5 < SPRequestGuid: 0c257 < WWW-Authenticate: NTLM TlR= < WWW-Authenticate: Negotiate < X-Powered-By: ASP.NET < MicrosoftSharePointTeamServices: 14.0.0.6126 < X-MS-InvokeApp: 1; RequireReadOnly < Date: Fri, 24 Jan 2014 21:28:38 GMT < Content-Length: 0 < * Connection 0 to host 10.1.1.11 left intact * Issue another request to this URL: 'http://10.1.1.11/_layouts/Healthcheck/Healthcheck.aspx' * Re-using existing connection! (0) with host 10.1.1.11 * Connected to 10.1.1.11 (10.1.1.11) port 80 (0) * Server auth using NTLM with user 'F5testaccount@test.com' GET /_layouts/Healthcheck/Healthcheck.aspx HTTP/1.1 Authorization: NTLM TlR= User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5 Accept: / Host: server1.test.com

< HTTP/1.1 200 OK !!!!ommitted for brevity

    

status: pass

* Connection 0 to host 10.1.1.11 left intact * Closing connection 0

Monitor health checks Not Working and is locking the active directory account.

LTM Monitor config:

ltm monitor http HC_test.com { defaults-from /Common/http destination : interval 5 partition Network_Test password $F5testaccount&123 recv pass send "GET /_layouts/Healthcheck/Healthcheck.aspx HTTP/1.1\r\nHost: server1.test.com" time-until-up 0 timeout 16 username test\F5testaccount }