Forum Discussion

David_Stretch_2's avatar
David_Stretch_2
Icon for Nimbostratus rankNimbostratus
Sep 26, 2012

LTM 11.1.0+ HTTP monitor with native NTLM auth

After struggling for a few hours with HTTP monitors using the native NTLM solution (after the initial BASIC auth request fails), I'm not convinced that it's correctly forming the NTLM request.

 

The web server constantly returns 401.2 responses and the following is logged in to the server's Security event log:

 

Account For Which Logon Failed:

 

Security ID: NULL SID

 

Account Name:

 

Account Domain:

 

Failure Information:

 

Failure Reason: Unknown user name or bad password.

 

Status: 0xc000006d

 

Sub Status: 0xc000006a

 

It seems that 0xc000006a means "User logon with Misspelled or bad Password". I know for a fact that the password specified in the monitor is correct, and when capturing the BASIC auth request it shows as such; something is going wrong during the NTLM auth request.

 

Since the request is hashed I've got no way of figuring out whether the username and password are correct so I was wondering if anyone else has successfully used the native NTLM auth functionality of the HTTP monitor since it was implemented in 11.1.0.

 

Thanks

 

4 Replies

  • Hi David,

     

     

    Can you open a support case on this. If I get a chance, I'll try testing here as well.

     

     

    Aaron
  • would you mind posting the http monitor configuration?

     

     

    tmsh list ltm monitor (monitor name)

     

     

    and can you post http monitor response? it is http (not https), isn't it?

     

     

    ssldump -Aed -nni (vlan name) host (selfip) and host (pool member ip) and port (pool member port)
  • Here's the monitor, I'll dump the HTTP response in a bit ...

     

     

    ltm monitor http QA_ShortURL_Monitor {

     

    defaults-from /Common/http

     

    destination *:*

     

    interval 30

     

    partition WebSystems

     

    password "****"

     

    recv "StatusCode: 200, Ok"

     

    send "GET / HTTP/1.1\\r\\nHost: qa-shorturl-2008-f5"

     

    time-until-up 0

     

    timeout 61

     

    username DOMAIN\\svc_f5HTTPMonitor

     

    }

     

     

    I had to remove the trailing \r\n as it was causing malformed headers in the HTTP request which it appears is a known bug when using NTLM auth on a monitor.

     

     

    Thanks
  • this is mine.

    root@v1110(Active)(/Common)(tmos) show sys version
    
    Sys::Version
    Main Package
      Product  BIG-IP
      Version  11.1.0
      Build    1943.0
      Edition  Final
      Date     Sun Nov 20 18:27:50 PST 2011
    
    root@v1110(Active)(/Common)(tmos) list ltm monitor http myntlm
    ltm monitor http myntlm {
        defaults-from http
        destination *:*
        interval 5
        password secret
        recv "200 OK"
        send "GET /index.html HTTP/1.1\\r\\nHost: 172.28.19.78"
        time-until-up 0
        timeout 16
        username tasmania@abc.com
    }
    
    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.10.02 20:43:47 =~=~=~=~=~=~=~=~=~=~=~=
    
    [root@v1110:Active] config  
    [root@v1110:Active] config  ssldump -Aed -nni 0.0 port 80
    New TCP connection 1: 172.28.20.11(41539) <-> 172.28.19.78(80)
    1349181834.6342 (0.0024)  C>S
    ---------------------------------------------------------------
    GET /index.html HTTP/1.1
    
    Host: 172.28.19.78
    
    Authorization: Basic dGFzbWFuaWFAYWJjLmNvbTpzZWNyZXQ=
    
    
    
    ---------------------------------------------------------------
    
    1349181834.6351 (0.0009)  S>C
    ---------------------------------------------------------------
    HTTP/1.1 401 Unauthorized
    
    Content-Length: 1656
    
    Content-Type: text/html
    
    Server: Microsoft-IIS/6.0
    
    WWW-Authenticate: Negotiate
    
    WWW-Authenticate: NTLM
    
    Date: Tue, 02 Oct 2012 12:40:33 GMT
    
    
    
    ...snipped...
    ---------------------------------------------------------------
    
    1349181834.6360 (0.0009)  C>S
    ---------------------------------------------------------------
    GET /index.html HTTP/1.1
    
    Host: 172.28.19.78
    
    Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
    
    
    
    ---------------------------------------------------------------
    
    1349181834.6370 (0.0009)  S>C
    ---------------------------------------------------------------
    HTTP/1.1 401 Unauthorized
    
    Content-Length: 1539
    
    Content-Type: text/html
    
    Server: Microsoft-IIS/6.0
    
    WWW-Authenticate: NTLM TlRMTVNTUAACAAAABgAGADgAAAAFgokCqL4wD9Ebc7wAAAAAAAAAAGIAYgA+AAAABQLODgAAAA9BAEIAQwACAAYAQQBCAEMAAQAMAFMAQQBMAE0ATwBOAAQADgBhAGIAYwAuAGMAbwBtAAMAHABzAGEAbABtAG8AbgAuAGEAYgBjAC4AYwBvAG0ABQAOAGEAYgBjAC4AYwBvAG0AAAAAAA==
    
    Date: Tue, 02 Oct 2012 12:40:33 GMT
    
    
    
    ...snipped...
    
    ---------------------------------------------------------------
    
    1349181834.6382 (0.0011)  C>S
    ---------------------------------------------------------------
    GET /index.html HTTP/1.1
    
    Host: 172.28.19.78
    
    Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGgAAACSAJIAgAAAAAAAAABAAAAAIAAgAEAAAAAIAAgAYAAAAAAAAAASAQAABYKIonQAYQBzAG0AYQBuAGkAYQBAAGEAYgBjAC4AYwBvAG0AYgBpAGcAZAAzDBf+CcqPFXMNzakQDxm1eyzebeEbgH6jUUWxR+l6hbBzQbvr5UqfAQEAAAAAAAAAIcaUm6DNAXss3m3hG4B+AAAAAAIABgBBAEIAQwABAAwAUwBBAEwATQBPAE4ABAAOAGEAYgBjAC4AYwBvAG0AAwAcAHMAYQBsAG0AbwBuAC4AYQBiAGMALgBjAG8AbQAFAA4AYQBiAGMALgBjAG8AbQAAAAAAAAAAAA==
    
    
    
    ---------------------------------------------------------------
    
    1349181834.6400 (0.0018)  S>C
    ---------------------------------------------------------------
    HTTP/1.1 200 OK
    
    Content-Length: 12
    
    Content-Type: text/html
    
    Last-Modified: Tue, 02 Oct 2012 11:29:51 GMT
    
    Accept-Ranges: bytes
    
    ETag: "c81b63d91a0cd1:251"
    
    Server: Microsoft-IIS/6.0
    
    Date: Tue, 02 Oct 2012 12:40:33 GMT
    
    
    
    hello world!---------------------------------------------------------------
    
    1    1349181834.6413 (0.0012)  C>S  TCP FIN
    1    1349181834.6420 (0.0007)  S>C  TCP FIN