Forum Discussion

LyonsG_85618's avatar
LyonsG_85618
Icon for Cirrostratus rankCirrostratus
Mar 08, 2016

HTTPS Monitor failing when SSO enabled (Kerberos)

Thanks for looking.

I have a pretty basic HTTPS monitor running that worked fine until the application team enabled SSO (uses kerberos authentication). Since then the monitor has been failing.

I have tried entering a username and password (including & excluding the domain name e.g. testdomain\username) but nothing works. (I have tried mutliple combinations inc. uppercase domain etc.)

Curl requests get a 403 error.

Using OpenSSL i get the following error:

SPNEGO authentication is not supported.SPNEGO authentication is not supported on this client.
read:errno=0
`


Any suggestions?

Monitor looks like this:

`ltm monitor https /admin/test.test.group_https {
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
defaults-from /Common/https
destination *:*
interval 5
ip-dscp 0
recv up
send "GET /response/page"
time-until-up 0
timeout 16
}
application delivery
BIG-IP
LTM

2 Replies

Sort By
  • LyonsG_85618's avatar
    LyonsG_85618
    Icon for Cirrostratus rankCirrostratus
    Mar 08, 2016
    I should also say that if i change the recveive string to "SPNEGO" - this does work (i.e. pool get flagged up) but as it is not a clear indication as to whether application is working we dont want to use this.
  • Greg_Labelle's avatar
    Greg_Labelle
    Icon for Nimbostratus rankNimbostratus
    Mar 08, 2016

    Keberos relies upon the client requesting a token from a KDC. As the F5 is not "client" in this context, it won't be able to successfully authenticate to a kerberos only application. Unless you can get the application team to enable NTLM as well as Keberos then you're going to have difficulty.

     

    Another option would be to ask the application team to setup a static page that does a local health check that can be presented to the F5 without authentication and perform your health check on that.