LTM 11.1.0+ HTTP monitor with native NTLM auth

Question

After struggling for a few hours with HTTP monitors using the native NTLM solution (after the initial BASIC auth request fails), I'm not convinced that it's correctly forming the NTLM request.&nbsp;
The web server constantly returns 401.2 responses and the following is logged in to the server's Security event log:&nbsp;
Account For Which Logon Failed:&nbsp;
Security ID: NULL SID&nbsp;
Account Name: &nbsp;
Account Domain: &nbsp;
Failure Information:&nbsp;
Failure Reason: Unknown user name or bad password.&nbsp;
Status: 0xc000006d&nbsp;
Sub Status: 0xc000006a&nbsp;
It seems that 0xc000006a means "User logon with Misspelled or bad Password".  I know for a fact that the password specified in the monitor is correct, and when capturing the BASIC auth request it shows as such; something is going wrong during the NTLM auth request.&nbsp;
Since the request is hashed I've got no way of figuring out whether the username and password are correct so I was wondering if anyone else has successfully used the native NTLM auth functionality of the HTTP monitor since it was implemented in 11.1.0.&nbsp;
Thanks&nbsp;

hoolio · Answer

Hi David, 
&nbsp;  
&nbsp; Can you open a support case on this.  If I get a chance, I'll try testing here as well. 
&nbsp;  
&nbsp; Aaron

nitass · Answer

would you mind posting the http monitor configuration? 
&nbsp;  
&nbsp;  tmsh list ltm monitor (monitor name) 
&nbsp;  
&nbsp; and can you post http monitor response? it is http (not https), isn't it? 
&nbsp;  
&nbsp;  ssldump -Aed -nni (vlan name) host (selfip) and host (pool member ip) and port (pool member port)

david_stretch_2 · Answer

Here's the monitor, I'll dump the HTTP response in a bit ... 
&nbsp;  
&nbsp; ltm monitor http QA_ShortURL_Monitor { 
&nbsp;     defaults-from /Common/http 
&nbsp;     destination *:* 
&nbsp;     interval 30 
&nbsp;     partition WebSystems 
&nbsp;     password "****" 
&nbsp;     recv "StatusCode: 200, Ok" 
&nbsp;     send "GET / HTTP/1.1\r\nHost: qa-shorturl-2008-f5" 
&nbsp;     time-until-up 0 
&nbsp;     timeout 61 
&nbsp;     username DOMAIN\svc_f5HTTPMonitor 
&nbsp; } 
&nbsp;  
&nbsp; I had to remove the trailing 
 as it was causing malformed headers in the HTTP request which it appears is a known bug when using NTLM auth on a monitor. 
&nbsp;  
&nbsp; Thanks

nitass · Answer

this is mine. 
  
 root@v1110(Active)(/Common)(tmos) show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.1.0
  Build    1943.0
  Edition  Final
  Date     Sun Nov 20 18:27:50 PST 2011

root@v1110(Active)(/Common)(tmos) list ltm monitor http myntlm
ltm monitor http myntlm {
    defaults-from http
    destination *:*
    interval 5
    password secret
    recv "200 OK"
    send "GET /index.html HTTP/1.1\r\nHost: 172.28.19.78"
    time-until-up 0
    timeout 16
    username tasmania@abc.com
}

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.10.02 20:43:47 =~=~=~=~=~=~=~=~=~=~=~=

[root@v1110:Active] config  
[root@v1110:Active] config  ssldump -Aed -nni 0.0 port 80
New TCP connection 1: 172.28.20.11(41539) &lt;-&gt; 172.28.19.78(80)
1349181834.6342 (0.0024)  C&gt;S
---------------------------------------------------------------
GET /index.html HTTP/1.1

Host: 172.28.19.78

Authorization: Basic dGFzbWFuaWFAYWJjLmNvbTpzZWNyZXQ=

---------------------------------------------------------------

1349181834.6351 (0.0009)  S&gt;C
---------------------------------------------------------------
HTTP/1.1 401 Unauthorized

Content-Length: 1656

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

Date: Tue, 02 Oct 2012 12:40:33 GMT

...snipped...
---------------------------------------------------------------

1349181834.6360 (0.0009)  C&gt;S
---------------------------------------------------------------
GET /index.html HTTP/1.1

Host: 172.28.19.78

Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=

---------------------------------------------------------------

1349181834.6370 (0.0009)  S&gt;C
---------------------------------------------------------------
HTTP/1.1 401 Unauthorized

Content-Length: 1539

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: NTLM TlRMTVNTUAACAAAABgAGADgAAAAFgokCqL4wD9Ebc7wAAAAAAAAAAGIAYgA+AAAABQLODgAAAA9BAEIAQwACAAYAQQBCAEMAAQAMAFMAQQBMAE0ATwBOAAQADgBhAGIAYwAuAGMAbwBtAAMAHABzAGEAbABtAG8AbgAuAGEAYgBjAC4AYwBvAG0ABQAOAGEAYgBjAC4AYwBvAG0AAAAAAA==

Date: Tue, 02 Oct 2012 12:40:33 GMT

...snipped...

---------------------------------------------------------------

1349181834.6382 (0.0011)  C&gt;S
---------------------------------------------------------------
GET /index.html HTTP/1.1

Host: 172.28.19.78

Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGgAAACSAJIAgAAAAAAAAABAAAAAIAAgAEAAAAAIAAgAYAAAAAAAAAASAQAABYKIonQAYQBzAG0AYQBuAGkAYQBAAGEAYgBjAC4AYwBvAG0AYgBpAGcAZAAzDBf+CcqPFXMNzakQDxm1eyzebeEbgH6jUUWxR+l6hbBzQbvr5UqfAQEAAAAAAAAAIcaUm6DNAXss3m3hG4B+AAAAAAIABgBBAEIAQwABAAwAUwBBAEwATQBPAE4ABAAOAGEAYgBjAC4AYwBvAG0AAwAcAHMAYQBsAG0AbwBuAC4AYQBiAGMALgBjAG8AbQAFAA4AYQBiAGMALgBjAG8AbQAAAAAAAAAAAA==

---------------------------------------------------------------

1349181834.6400 (0.0018)  S&gt;C
---------------------------------------------------------------
HTTP/1.1 200 OK

Content-Length: 12

Content-Type: text/html

Last-Modified: Tue, 02 Oct 2012 11:29:51 GMT

Accept-Ranges: bytes

ETag: "c81b63d91a0cd1:251"

Server: Microsoft-IIS/6.0

Date: Tue, 02 Oct 2012 12:40:33 GMT

hello world!---------------------------------------------------------------

1    1349181834.6413 (0.0012)  C&gt;S  TCP FIN
1    1349181834.6420 (0.0007)  S&gt;C  TCP FIN

Forum Discussion

LTM 11.1.0+ HTTP monitor with native NTLM auth

4 Replies

Recent Discussions

Ivanti MDM Core & F5 LTM/ASM with mTLS

F5 BIGIP & XC certbot plugin

F5 radius login not working

A Method for Auth and SSO

setup F5vpn using key stored in TPM?

Related Content

Rethinking Payload Parsing: Native JSON Handling in iRules

What’s New in the NGINX Plus R36 Native OIDC Module

Visibility for Modern Telco and Cloud‑Native Networks

Bringing Agentic Observability to F5 NGINX Plus: Native MCP Traffic Inspection

From Chat to Config: Building an AI-Native MCP Server for F5 Distributed Cloud

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS