For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

clazba's avatar
clazba
Icon for Nimbostratus rankNimbostratus
Feb 02, 2012

EAV Moinitor fails with NTLMv2

Hi Guys,

 

 

 

I am looking at an EAV monitor that uses curl with ntlm authentication to probe an II6 server , worked fine for ages but now that the AD group sec policy has enforced ntlmv2 for Integrated Authentication the monitor fails with a 500 error:

 

 

 

GET /nna/?orig_uri=/xxxx/secure/xxxxxx/homepage/intranetheartbeat HTTP/1.1

 

Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=

 

User-Agent: curl/7.10.6 (i686-redhat-linux-gnu) libcurl/7.10.6 OpenSSL/0.9.7l ipv6 zlib/1.1.4

 

Pragma: no-cache

 

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

 

Host: www.xxxxx.xxx.xxx

 

 

 

HTTP/1.1 500 Internal Server Error

 

Content-Length: 100

 

Content-Type: text/html

 

Server: Microsoft-IIS/6.0

 

X-Powered-By: ASP.NET

 

Date: Mon, 30 Jan 2012 09:44:05 GMT

 

Connection: close

 

 

 

ErrorThe function requested is not supported

 

 

 

I have checked the IIS6 servers and the key below confirms that the servers are now using NTLMv2 and 128-bit encryption

 

 

 

(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec = 0x20080030)

 

 

 

I am pretty sure that the monitor is failing because libcurl that ships with 9.3.1 doesn't support ntlmv2, but as far as i know neither do the latest version of libcurl ?!?

 

 

 

So my questions is: How do you do write an EAV monitor that supports ntlmv2 in 9.3.1 and/or any other version? Is EAV the right way to go about it or is there another/better way to do it?

 

 

 

Thoughts appreciated.

 

 

 

Thanks.

 

 

 

Claud

 

 

microsoft
partner

6 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 02, 2012
    Hi Claud,

     

     

    I couldn't find any indications that any version of Curl supports NTLMv2. Short of disabling NTLMv2 on the server I'm not sure what type of client you could use from LTM for an external monitor. Maybe you could monitor the state of the service on the server using instead of authenticating and making a request to it directly.

     

     

    Using wmic to monitor Windows services

     

    http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086419/Monitoring-Windows-Terminal-Services-from-BIG-IP.aspx

     

     

    Aaron
  • clazba's avatar
    clazba
    Icon for Nimbostratus rankNimbostratus
    Feb 02, 2012
    Hey Aaron,

     

     

    Thanks for looking into that.

     

     

    Yes, I had thought about wmic, I have used it before to monitor the Exchange RPC service, but I think in this case the customer needs to validate specific content returned by the web app.

     

     

    I started a looking at this post earlier on (http://devsac.blogspot.com/2010/10/supoprt-for-ntlmv2-with-apache.html) which looks interesting, i'll give it a shot tomorrow and see if I manage to end up with a working binary - Ill post back the results here if I get anywhere with it.

     

     

    Cheers,

     

     

    Claud

     

     

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 02, 2012
    That seems feasible. It would also help to open an RFE case requesting native NTLMv2 support for monitors.

     

     

    Aaron
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 03, 2012
    Hey Claud,

     

     

    A little birdie told me that native HTTP/S monitors in v11.1 already support NTLM and NTLMv2:

     

     

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-1-0.htmlrn_new

     

     

    NTLM Authentication Support for HTTP/HTTPS Monitors

     

    For an HTTP/HTTPS monitor to successfully use NTLM authentication, a monitor must meet the following configuration requirements:

     

     

    * The monitor must have a send string. Because it is necessary to use HTTP version 1.1, the send string must be, at minimum: "GET / HTTP/1.1\r\nHost: "

     

    * The monitor must have a receive string.

     

    * The monitor cannot be a reverse monitor.

     

    * The monitor must have a username. The user name may be either a simple username or it can be the domain/username. Both '\' and '/' are recognized.

     

    * The monitor must have a password.

     

     

    Once this monitor is associated with a pool or pool member, it only enacts NTLM if the request with Basic Auth gets a 401 response with a WWW-Authenticate header set to NTLM. At this point the NTLM handshake should commence. Here is an example monitor: ltm monitor http /Common/http_testauth { defaults-from /Common/http destination *:* interval 5 password default recv Microsoft-IIS/7 send "GET / HTTP/1.1\\r\\nHost: portal.authtest.tc.requestsite.com" time-until-up 0 timeout 16 username AUTHTEST/administrator }

     

     

     

    Aaron
  • clazba's avatar
    clazba
    Icon for Nimbostratus rankNimbostratus
    Feb 06, 2012
    Thanks for that Aaron, that's really useful information. I doubt the customer would be willing to consider 11.1 as yet but it certainly allows me to add that to the list of potential workarounds moving forward.

     

     

    Cheers,

     

     

     

    Claud