HTTP Monitor with Authenticate NTLM failing

Hi Hamish,

When the HealthCheck is set to:

send "GET /F5Dynamics/main.aspx HTTP/1.1\\r\\nUser-Agent: F5 Health-Check\\r\\nHost: crm-testdev.internal\\r\\nAccept: */*"

TCPDump shows a single \r\n being inserted by the F5 HealthCheck.

    0x0080:  726d 2d74 6573 742e 6465 762e 696e 7465  rm-test.dev.inte
    0x0090:  726e 616c 0d0a 4163 6365 7074 3a20 2a2f  rnal..Accept:.*/
    0x00a0:  2a0d 0a41 7574 686f 7269 7a61 7469 6f6e  *..Authorization
    0x00b0:  3a20 4261 7369 6320 5a47 5632 5848 4e32  :.Basic.ZGV2XHN2

When the Health Check is set to:

send "GET /F5Dynamics/main.aspx HTTP/1.1\\r\\nUser-Agent: F5 Health-Check\\r\\nHost: crm-testdev.internal\\r\\nAccept: */*\\r\\n"

tcpdump still shows a single \r\n being inserted

    0x0080:  726d 2d74 6573 742e 6465 762e 696e 7465  rm-test.dev.inte
    0x0090:  726e 616c 0d0a 4163 6365 7074 3a20 2a2f  rnal..Accept:.*/
    0x00a0:  2a0d 0a41 7574 686f 7269 7a61 7469 6f6e  *..Authorization
    0x00b0:  3a20 4261 7369 6320 5a47 5632 5848 4e32  :.Basic.ZGV2XHN2

Now comes the interesting part! When the HealthCheck is set to:

  send "GET /F5Dynamics/main.aspx HTTP/1.1\\r\\nUser-Agent: F5 Health-Check\\r\\nHost: crm-test.dev.internal\\r\\nAccept: */*\\r\\n\\r\\n"

TCPDump has this (which is not good)

    0x0080:  726d 2d74 6573 742e 6465 762e 696e 7465  rm-test.dev.inte
    0x0090:  726e 616c 0d0a 4163 6365 7074 3a20 2a2f  rnal..Accept:.*/
    0x00a0:  2a0d 0a0d 0a41 7574 686f 7269 7a61 7469  *....Authorizati
    0x00b0:  6f6e 3a20 4261 7369 6320 5a47 5632 5848  on:.Basic.ZGV2XH

But now the F5 actually sends an NTLM Request! But the end node closes the connection because of the malformed HTTP Auth request. So SSLDump looks like this:

New TCP connection 1: 10.228.128.10(55320) <-> 10.106.0.15(80)
1391124364.9248 (0.0036)  C>S
---------------------------------------------------------------
GET /F5Dynamics/main.aspx HTTP/1.1
User-Agent: F5 Health-Check
Host: crm-test.dev.internal
Accept: */*

Authorization: Basic ZGV2XHN2Y19GNWFjY2Vzczp1cmlkRW9OUVZqV3VCUHdwbnhPdHFPM0s=

---------------------------------------------------------------

1391124364.9306 (0.0057)  S>C
---------------------------------------------------------------
HTTP/1.1 401 Unauthorized
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/plain
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ReqClientId=1dac24c6-98a5-4649-bc8b-e036e08bfb54; expires=Wed, 30-Jan-2064 23:26:05 GMT; path=/; HttpOnly
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Thu, 30 Jan 2014 23:26:04 GMT

31
HTTP Error 401 - Unauthorized: Access is denied

---------------------------------------------------------------

1391124364.9306 (0.0000)  S>C
---------------------------------------------------------------
0

---------------------------------------------------------------

1391124364.9306 (0.0000)  S>C
---------------------------------------------------------------
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 30 Jan 2014 23:26:04 GMT
Connection: close
Content-Length: 326


Bad Request
 
Bad Request - Invalid Verb
HTTP Error 400. The request verb is invalid.

---------------------------------------------------------------

1    1391124364.9306 (0.0000)  S>C  TCP FIN
1391124364.9312 (0.0006)  C>S
---------------------------------------------------------------
GET /F5Dynamics/main.aspx HTTP/1.1
User-Agent: F5 Health-Check
Host: crm-test.dev.internal
Accept: */*


Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=

---------------------------------------------------------------

1    1391124364.9316 (0.0003)  C>S  TCP FIN

So in conclusion behavior is the same for 0 or 1 trailing \r\n's when two \r\n's are set on the send string - the F5 actually tries to follow through with NTML Auth but the server disconnect because of the extra \r\n that is presented.