Citrix iApp using Active Directory - Monitor for Kerberos Auth?

That is an excellent question, and one that I wish there was a better answer to. At some point, I'm not sure when, the ability to do negotiate (Kerberos) authentication with cURL was stripped from the on-board libraries. Aside from that, there are perhaps a few other options:

• The HTTP monitor can be configured to fail over to NTLM authentication if Basic fails. If you support Kerberos and NTLM negotiation, that may be an option. See this post:

   

  https://devcentral.f5.com/questions/hhtp-montior-for-microsoft-ntlm-negoiate

   

• You could create a separate site on the same IIS host that supports Basic or even anonymous access, and has a script that can check the health of the other site from within.

   

• Simply do ICMP (ping) or TCP monitoring.

   

Jon,

Maybe it's not the best method for monitoring DC's, but i think it's pretty safe to say that whenever ldap access to a DC is not functioning the DC is probably offline or in a unusable state. So, a ldap based monitor might be a safe bet.

You have to create a (special purpose) user in AD for this to work (Or re-use the one from the xml-broker monitor). Make sure this user's password never expires, otherwise your monitor will stop working when it does and flags the pool offline. Hard to debug one year from now when you've forgotten all about it 🙂

The base-dn is set to the user's dn, to not unnecessarily stress the DC with a subtree search every 30 secs.

Here's our monitor :

ltm monitor ldap /Common/monitor_aaa_ad {
base "cn=SVC-F5CitrixMonitor,ou=Service Accounts,ou=Users,ou=xxx,dc=xxx,dc=xxx,dc=xx"
chase-referrals no
debug no
defaults-from /Common/ldap
destination *:636
filter (&(objectClass=user)(cn=SVC-F5CitrixMonitor))
interval 30
mandatory-attributes yes
password xxxxxxxxxxxxxxxxx
security ssl
time-until-up 0
timeout 91
username "cn=SVC-F5CitrixMonitor,ou=Service Accounts,ou=Users,ou=xxx,dc=xxx,dc=xxx,dc=xx"

}