hhtp montior for Microsoft NTLM Negoiate

Question

The default HTTP monitor in LTM does not support Micorosft NTLM negotiate, you will always recieve 401 Not Authorized even with username and password provided in the HTTP monitor config. The monitor below is based on the HTTP Monitor curl basic GET under link below:&nbsp;
https://devcentral.f5.com/wiki/AdvDesignConfig.HTTPMonitor_cURL_BasicGET.ashx&nbsp;
To implement the monitor:&nbsp;
- Create a new file containing the code below in /usr/bin/monitors on the LTM filesystem. Permissions on the file must be 700 or better, giving root rwx access to the file. 2. Create a monitor profile of type "External" with the following values:&nbsp;
External Program: . . the name of the script file created in step aboveVariables:
Name.......ValueURI . . . . .the URI to request from the serverRECV . . . . the expected responseUSER . . . . the user name to loginPASS . . . . the password for the user

Best regards,&nbsp;
CJ&nbsp;
 &nbsp;
 &nbsp;

kevin_stewart · Answer

Very interesting CJ. Thanks for sharing. Also note that as of v11.1, HTTP monitors will fallback to trying NTLM if Basic auth fails.

cjun · Answer

I tested that in 11.3, the HTTP monitor still not works for NTLM negotiate. In fact, I think this should a RFE, as IIS 7.0 and above seems to be using NTLM negotiate by default.  
&nbsp;  
&nbsp; Best regards, 
&nbsp; CJ

kevin_stewart · Answer

The Windows Integrated authentication option in IIS 7 generally comes with Negotiate (Kerberos or NTLM) or just NTLM configured (in that order) as the default, which means it'll accept either Kerberos tickets or NTLM tokens. That can be changed if course. 
&nbsp;  
&nbsp; Are you absolutely certain (in 11.3) that you don't see the monitor attempt an NTLM request after failing the Basic auth? You'd see that in a capture. &nbsp;

cjun · Answer

Aah, I have done one more test, the tricky part is HTTP/1.1 must be specified in the send string for this to work. My previous on 11.3.0 did not have HTTP/1.1 in send string, hence it failed. Here is detail monitor config that works fine 
&nbsp;  
&nbsp; ltm monitor http /Common/http_iis { 
&nbsp;     defaults-from /Common/http 
&nbsp;     destination *:* 
&nbsp;     interval 5 
&nbsp;     password welcome123 
&nbsp;     recv "200 OK" 
&nbsp;     send "GET / HTTP/1.1\r\nUser-Agent: BIG-IP Monitor\r\nHost:10.168.10.105\r\nAccept: */*" 
&nbsp;     time-until-up 0 
&nbsp;     timeout 16 
&nbsp;     username bigip 
&nbsp; } 
&nbsp;  
&nbsp; Best regards, 
&nbsp; CJ

Forum Discussion

hhtp montior for Microsoft NTLM Negoiate

4 Replies

Recent Discussions

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Microsoft Powershell with iControl

F5 APM as Service Provider (SP) and Microsoft AzureAD as Identity Provider (IDP)

Microsoft's Strike on Cybercriminals and SFX backdoor- April 1st-April 7th - This Week in Security

Microsoft SharePoint and Microsoft Exchange December 2020 Security Update