Forum Discussion
NimbostratusHTTP Monitor with Authenticate NTLM failing
Hi,
I am finding that my http monitor is closing the connection after receiving the WWW-Authenticate: Negotiate directive.
Sys::Version
Main Package
Product BIG-IP
Version 11.2.1
Build 807.0
Edition Hotfix HF1
Date Tue Oct 2 10:46:52 PDT 2012
Hotfix List
ID397981 ID395272 ID397435 ID397882
ltm monitor http crm-test.dev.internal_80_http_monitor {
app-service /internal_nonprod/crm-test.dev.internal_80.app/crm-test.wd.govt.nz_80
defaults-from /Common/http
destination *:*
interval 30
partition internal_dev
password secret
recv "200 OK"
send "GET /F5Dynamics/main.aspx HTTP/1.1\\r\\nUser-Agent: F5 Health-Check\\r\\nHost: crm-test.dev.internal\\r\\nAccept: */*"
time-until-up 0
timeout 91
username svc_F5access@dev.internal
}
~ ssldump -AedaH -nni 0.0 host 10.106.0.15
New TCP connection 1: 10.228.128.10(32944) <-> 10.106.0.15(80)
1391050874.5897 (0.0026) C>S
---------------------------------------------------------------
GET /F5Dynamics/main.aspx HTTP/1.1
User-Agent: F5 Health-Check/4.0
Host: crm-test.dev.internal
Accept: */*
Authorization: Basic c3ZjX0Y1YWNjZXNzQGRldi5hZC5pbnRlcm5hbDp1lkRW9OUVZqV3VCUHdwbnhPdHFPM0s=
---------------------------------------------------------------
1391050874.5927 (0.0030) S>C
---------------------------------------------------------------
HTTP/1.1 401 Unauthorized
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/plain
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ReqClientId=6e803adf-3636-451b-9a6f-9550316e6f71; expires=Wed, 30-Jan-2064 03:01:14 GMT; path=/; HttpOnly
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Thu, 30 Jan 2014 03:01:14 GMT
31
HTTP Error 401 - Unauthorized: Access is denied
---------------------------------------------------------------
1391050874.5928 (0.0000) S>C
---------------------------------------------------------------
0
---------------------------------------------------------------
This behavior is very different to that displayed in this post: https://devcentral.f5.com/questions?pid=8446
It seems that the F5 is ignoring the request to Authenticate and does not attempt to try the NTLM protocol after the IIS Server has responded with a auth failure.
Thanks.
10 Replies
Oxenburger_1420Hi RBS,
Try Removing @dev.internal from the username.
Thanks.
Dave
RBS_79242Hi, thanks for the reply. I have tried making the username "dev\\svc_F5access" the result is the same. I have also tried adding a "\r\n" to the send string. The result is the same in both cases. FWIW, curl works with both usernames using --any-auth and --ntlm
- Oxenburger_1420
Hi,
But have you tried removing the domain name?
I had exactly the same problem last week see my post below. Mike solved this by asking me to remove the domain name from the username field.
https://devcentral.f5.com/questions/custom-http-health-monitor-failing-when-using-ntlm-authentication
Cheers,
Dave
- RBS_79242Thanks - I have tried removing the domain - this has not changed the situation. The F5 still fails to send NTLM auth headers after receiving the NEGOTIATE directive.
RBS,
Can you post the monitor string as it appears in the LTM GUI? Different versions of BIG-IP append \r\n differently when the monitor configuration is saved in tmsh.
thanks
- RBS_79242Hi, thanks for your reply. A TCPDUMP shows that a "\r\n" is being correctly inserted ONCE between the "Accept */*" and "Authorization" when the packet goes out on the wire. Here is an excerpt from a tcpdump -X 0x0090: 6f76 742e 6e7a 0d0a 4163 6365 7074 3a20 ovt.nz..Accept:. 0x00a0: 2a2f 2a0d 0a41 7574 686f 7269 7a61 7469 */*..Authorizati
You may want to open a case with F5 support on this. The only problems I've seen with NTLM HTTP monitors are with the username and line endings. Yours seem to be correct.
HamishCirrocumulus
You're missing a '\n' at the end of the send string (When using no auth, you need two of them. When you're using auth, you need two. But you have none after the 'Accept: /'
H
- RBS_79242
Hi Hamish,
When the HealthCheck is set to:
send "GET /F5Dynamics/main.aspx HTTP/1.1\\r\\nUser-Agent: F5 Health-Check\\r\\nHost: crm-testdev.internal\\r\\nAccept: */*"TCPDump shows a single \r\n being inserted by the F5 HealthCheck.
0x0080: 726d 2d74 6573 742e 6465 762e 696e 7465 rm-test.dev.inte 0x0090: 726e 616c 0d0a 4163 6365 7074 3a20 2a2f rnal..Accept:.*/ 0x00a0: 2a0d 0a41 7574 686f 7269 7a61 7469 6f6e *..Authorization 0x00b0: 3a20 4261 7369 6320 5a47 5632 5848 4e32 :.Basic.ZGV2XHN2When the Health Check is set to:
send "GET /F5Dynamics/main.aspx HTTP/1.1\\r\\nUser-Agent: F5 Health-Check\\r\\nHost: crm-testdev.internal\\r\\nAccept: */*\\r\\n"tcpdump still shows a single \r\n being inserted
0x0080: 726d 2d74 6573 742e 6465 762e 696e 7465 rm-test.dev.inte 0x0090: 726e 616c 0d0a 4163 6365 7074 3a20 2a2f rnal..Accept:.*/ 0x00a0: 2a0d 0a41 7574 686f 7269 7a61 7469 6f6e *..Authorization 0x00b0: 3a20 4261 7369 6320 5a47 5632 5848 4e32 :.Basic.ZGV2XHN2Now comes the interesting part! When the HealthCheck is set to:
send "GET /F5Dynamics/main.aspx HTTP/1.1\\r\\nUser-Agent: F5 Health-Check\\r\\nHost: crm-test.dev.internal\\r\\nAccept: */*\\r\\n\\r\\n"TCPDump has this (which is not good)
0x0080: 726d 2d74 6573 742e 6465 762e 696e 7465 rm-test.dev.inte 0x0090: 726e 616c 0d0a 4163 6365 7074 3a20 2a2f rnal..Accept:.*/ 0x00a0: 2a0d 0a0d 0a41 7574 686f 7269 7a61 7469 *....Authorizati 0x00b0: 6f6e 3a20 4261 7369 6320 5a47 5632 5848 on:.Basic.ZGV2XHBut now the F5 actually sends an NTLM Request! But the end node closes the connection because of the malformed HTTP Auth request. So SSLDump looks like this:
New TCP connection 1: 10.228.128.10(55320) <-> 10.106.0.15(80) 1391124364.9248 (0.0036) C>S --------------------------------------------------------------- GET /F5Dynamics/main.aspx HTTP/1.1 User-Agent: F5 Health-Check Host: crm-test.dev.internal Accept: */* Authorization: Basic ZGV2XHN2Y19GNWFjY2Vzczp1cmlkRW9OUVZqV3VCUHdwbnhPdHFPM0s= --------------------------------------------------------------- 1391124364.9306 (0.0057) S>C --------------------------------------------------------------- HTTP/1.1 401 Unauthorized Cache-Control: private Transfer-Encoding: chunked Content-Type: text/plain Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: ReqClientId=1dac24c6-98a5-4649-bc8b-e036e08bfb54; expires=Wed, 30-Jan-2064 23:26:05 GMT; path=/; HttpOnly WWW-Authenticate: Negotiate WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Thu, 30 Jan 2014 23:26:04 GMT 31 HTTP Error 401 - Unauthorized: Access is denied --------------------------------------------------------------- 1391124364.9306 (0.0000) S>C --------------------------------------------------------------- 0 --------------------------------------------------------------- 1391124364.9306 (0.0000) S>C --------------------------------------------------------------- HTTP/1.1 400 Bad Request Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Thu, 30 Jan 2014 23:26:04 GMT Connection: close Content-Length: 326 Bad Request Bad Request - Invalid Verb HTTP Error 400. The request verb is invalid. --------------------------------------------------------------- 1 1391124364.9306 (0.0000) S>C TCP FIN 1391124364.9312 (0.0006) C>S --------------------------------------------------------------- GET /F5Dynamics/main.aspx HTTP/1.1 User-Agent: F5 Health-Check Host: crm-test.dev.internal Accept: */* Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= --------------------------------------------------------------- 1 1391124364.9316 (0.0003) C>S TCP FINSo in conclusion behavior is the same for 0 or 1 trailing \r\n's when two \r\n's are set on the send string - the F5 actually tries to follow through with NTML Auth but the server disconnect because of the extra \r\n that is presented.
- One thing you could try is to modify the the authentication providers in IIS so that NTLM is first in the list, instead of Negotiate. We've seen OneConnect have issues with that in the past, maybe your monitor is as well? F5Dynamics is the name of your CRM deployment? That's also the example we give in the deployment guide. thanks
