Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology

Citrix iApp using Active Directory - Monitor for Kerberos Auth?

We are implementing one of the Citrix iApps. We specify the authentication as Active Directory. We list the pool of servers (DCs). All works. We haven't been able to figure out a decent health monitor. We could do just a TCP 88 but that isn't much of health check. Searching in DevCentral and internet searches have not turned up much. Has anyone done a health monitor of this type?

Rate this Question

Answers to this Question


That is an excellent question, and one that I wish there was a better answer to. At some point, I'm not sure when, the ability to do negotiate (Kerberos) authentication with cURL was stripped from the on-board libraries. Aside from that, there are perhaps a few other options:

  • The HTTP monitor can be configured to fail over to NTLM authentication if Basic fails. If you support Kerberos and NTLM negotiation, that may be an option. See this post:


  • You could create a separate site on the same IIS host that supports Basic or even anonymous access, and has a script that can check the health of the other site from within.

  • Simply do ICMP (ping) or TCP monitoring.

Comments on this Answer
Comment made 30-Oct-2013 by Jon Macy 68
The Citrix iApp we are implementing is using APM for the portal so there aren't any IIS (or other web services) involved. This is closer to the kind of configuration where APM is prompting/fronting with authentication for another service. User -> APM, performs authentication -> continues to web app passing cookie or whatever. I'm never happy with just ICMP or a port check - invariably the service stops serving but the port or server is still technically "up" and the monitor doesn't catch it.
Comment made 30-Oct-2013 by Kevin Stewart
Well, assuming we're talking about XenApp and replacing Web Interface with APM, you're still talking to pool of Citrix XML brokers for application enumeration. The Citrix XML broker only supports Kerberos authentication/SSO if it's IIS-integrated. XML broker without IIS integration only supports user/pass (and anonymous).


Maybe it's not the best method for monitoring DC's, but i think it's pretty safe to say that whenever ldap access to a DC is not functioning the DC is probably offline or in a unusable state. So, a ldap based monitor might be a safe bet.

You have to create a (special purpose) user in AD for this to work (Or re-use the one from the xml-broker monitor). Make sure this user's password never expires, otherwise your monitor will stop working when it does and flags the pool offline. Hard to debug one year from now when you've forgotten all about it :-)

The base-dn is set to the user's dn, to not unnecessarily stress the DC with a subtree search every 30 secs.

Here's our monitor :

ltm monitor ldap /Common/monitor_aaa_ad {
base "cn=SVC-F5CitrixMonitor,ou=Service Accounts,ou=Users,ou=xxx,dc=xxx,dc=xxx,dc=xx"
chase-referrals no
debug no
defaults-from /Common/ldap
destination *:636
filter (&(objectClass=user)(cn=SVC-F5CitrixMonitor))
interval 30
mandatory-attributes yes
password xxxxxxxxxxxxxxxxx
security ssl
time-until-up 0
timeout 91
username "cn=SVC-F5CitrixMonitor,ou=Service Accounts,ou=Users,ou=xxx,dc=xxx,dc=xxx,dc=xx"