Forum Discussion
David_Stretch_2
Nimbostratus
NimbostratusLTM 11.1.0+ HTTP monitor with native NTLM auth
After struggling for a few hours with HTTP monitors using the native NTLM solution (after the initial BASIC auth request fails), I'm not convinced that it's correctly forming the NTLM request.
The web server constantly returns 401.2 responses and the following is logged in to the server's Security event log:
Account For Which Logon Failed:
Failure Information:
It seems that 0xc000006a means "User logon with Misspelled or bad Password". I know for a fact that the password specified in the monitor is correct, and when capturing the BASIC auth request it shows as such; something is going wrong during the NTLM auth request.
Since the request is hashed I've got no way of figuring out whether the username and password are correct so I was wondering if anyone else has successfully used the native NTLM auth functionality of the HTTP monitor since it was implemented in 11.1.0.
Thanks
4 Replies
hoolioCirrostratus
Hi David,
Can you open a support case on this. If I get a chance, I'll try testing here as well.
Aaron- nitass
Employee
would you mind posting the http monitor configuration?
tmsh list ltm monitor (monitor name)
and can you post http monitor response? it is http (not https), isn't it?
ssldump -Aed -nni (vlan name) host (selfip) and host (pool member ip) and port (pool member port) 
David_Stretch_2Here's the monitor, I'll dump the HTTP response in a bit ...
ltm monitor http QA_ShortURL_Monitor {
defaults-from /Common/http
destination *:*
interval 30
partition WebSystems
password "****"
recv "StatusCode: 200, Ok"
send "GET / HTTP/1.1\\r\\nHost: qa-shorturl-2008-f5"
time-until-up 0
timeout 61
username DOMAIN\\svc_f5HTTPMonitor
}
I had to remove the trailing \r\n as it was causing malformed headers in the HTTP request which it appears is a known bug when using NTLM auth on a monitor.
Thanks- nitassthis is mine.
root@v1110(Active)(/Common)(tmos) show sys version Sys::Version Main Package Product BIG-IP Version 11.1.0 Build 1943.0 Edition Final Date Sun Nov 20 18:27:50 PST 2011 root@v1110(Active)(/Common)(tmos) list ltm monitor http myntlm ltm monitor http myntlm { defaults-from http destination *:* interval 5 password secret recv "200 OK" send "GET /index.html HTTP/1.1\\r\\nHost: 172.28.19.78" time-until-up 0 timeout 16 username tasmania@abc.com } =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.10.02 20:43:47 =~=~=~=~=~=~=~=~=~=~=~= [root@v1110:Active] config [root@v1110:Active] config ssldump -Aed -nni 0.0 port 80 New TCP connection 1: 172.28.20.11(41539) <-> 172.28.19.78(80) 1349181834.6342 (0.0024) C>S --------------------------------------------------------------- GET /index.html HTTP/1.1 Host: 172.28.19.78 Authorization: Basic dGFzbWFuaWFAYWJjLmNvbTpzZWNyZXQ= --------------------------------------------------------------- 1349181834.6351 (0.0009) S>C --------------------------------------------------------------- HTTP/1.1 401 Unauthorized Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM Date: Tue, 02 Oct 2012 12:40:33 GMT ...snipped... --------------------------------------------------------------- 1349181834.6360 (0.0009) C>S --------------------------------------------------------------- GET /index.html HTTP/1.1 Host: 172.28.19.78 Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= --------------------------------------------------------------- 1349181834.6370 (0.0009) S>C --------------------------------------------------------------- HTTP/1.1 401 Unauthorized Content-Length: 1539 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: NTLM TlRMTVNTUAACAAAABgAGADgAAAAFgokCqL4wD9Ebc7wAAAAAAAAAAGIAYgA+AAAABQLODgAAAA9BAEIAQwACAAYAQQBCAEMAAQAMAFMAQQBMAE0ATwBOAAQADgBhAGIAYwAuAGMAbwBtAAMAHABzAGEAbABtAG8AbgAuAGEAYgBjAC4AYwBvAG0ABQAOAGEAYgBjAC4AYwBvAG0AAAAAAA== Date: Tue, 02 Oct 2012 12:40:33 GMT ...snipped... --------------------------------------------------------------- 1349181834.6382 (0.0011) C>S --------------------------------------------------------------- GET /index.html HTTP/1.1 Host: 172.28.19.78 Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGgAAACSAJIAgAAAAAAAAABAAAAAIAAgAEAAAAAIAAgAYAAAAAAAAAASAQAABYKIonQAYQBzAG0AYQBuAGkAYQBAAGEAYgBjAC4AYwBvAG0AYgBpAGcAZAAzDBf+CcqPFXMNzakQDxm1eyzebeEbgH6jUUWxR+l6hbBzQbvr5UqfAQEAAAAAAAAAIcaUm6DNAXss3m3hG4B+AAAAAAIABgBBAEIAQwABAAwAUwBBAEwATQBPAE4ABAAOAGEAYgBjAC4AYwBvAG0AAwAcAHMAYQBsAG0AbwBuAC4AYQBiAGMALgBjAG8AbQAFAA4AYQBiAGMALgBjAG8AbQAAAAAAAAAAAA== --------------------------------------------------------------- 1349181834.6400 (0.0018) S>C --------------------------------------------------------------- HTTP/1.1 200 OK Content-Length: 12 Content-Type: text/html Last-Modified: Tue, 02 Oct 2012 11:29:51 GMT Accept-Ranges: bytes ETag: "c81b63d91a0cd1:251" Server: Microsoft-IIS/6.0 Date: Tue, 02 Oct 2012 12:40:33 GMT hello world!--------------------------------------------------------------- 1 1349181834.6413 (0.0012) C>S TCP FIN 1 1349181834.6420 (0.0007) S>C TCP FIN
