NimbostratusHi Expert
There is one http applicaiton (sharepoint), I created the http montior and put the username/password but it is not working. Through tcpdump, I got that it is saying unathorized. Can any body tell me what I need to change?
I am just using default http montior and put the username/password
Thanks
Cirrostratus
What version are you running as I think NTLM is supported with HTTP monitors in v11?
NimbostratusIn version 11.3, the HTTP monitor supports NTLM authentication. For the username, the domain must be capitalized. DOMAIN/user Something that I find odd, is that, according to F5 documentation, it doesn't matter if you use a back slash or a forward slash. I would recommend a forward slash "/" since the back slash is an escape character. You also can't use "connection close" like in most monitors. I have also found that you need a user agent sting for it to work. So it looks something like this:
GET /owa/ HTTP/1.1\r\nHost: [hostname or IP]\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)\r\nConnection: keep-alive
I have gotten this to work without "connection keep alive" and I don't think it matters what the user agent string is, just as long as it is there.
http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13821.html http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-1-0.html
If you are not on v11, this should help you out. https://devcentral.f5.com/wiki/advdesignconfig.SuperHTTPMonitor.ashx
NimbostratusOK so I've gotten farther. I havce successfully done it with cURL in an ssh session from the F5 but now cannot figure how to get this command into a health monitor using ntlm auth.
curl -k -v --ntlm -u 'username:password' -H 'Host: sqlreports.dev'
And it give me a whole lot of output and I even see the HTTP/1.1 200 OK that I have in my return string.
ANy help would be appreciated getting into the GUI F5 health monitor from the cURL ssh command.
EmployeeFrom 11.1 forward, the built-in HTTP monitor will attempt to do NTLM if Basic fails, so you just need to enter the credentials into the user/pass fields. Otherwise you can just specify the URI in the Send String:
GET /Reports/Pages/Folder.aspx\r\n
and then add something unique in the Receive String - something that is unique to a good response.
https://support.f5.com/kb/en-us/solutions/public/5000/900/sol5917.html?sr=46987806
EmployeeOkay, so a few questions:
Are you using an HTTPS monitor?
If you attempt to use cURL with IP and port instead of hostname, does it work?
The next step might be to ssldump on the server side to see what's inside that monitor request and response. For this you'll need to copy the server's SSL private key to the BIG-IP and use the following command:
ssldump -k [path to server's private key] -AdNn -i 0.0 port 443 and host [IP of server]
This should allow you to see inside the SSL traffic between the BIG-IP and server (assuming you're using RSA for key exchange). If you can do this, you should be looking for the client (BIG-IP) GET request, which will probably have a "Basic" Authorization header, followed by a 401 from the server, followed again by another request with an NTLM Authorization header. If the response to that is another 401 or you don't see the second request, then you know it's an auth problem with the monitor.
EmployeeWithout a receive string, the monitor will mark up any response at all. It very well could be that the response is a 401 (because auth is failing).
You could technically (probably) use
401 Unauthorized
as your receive string and not add credentials.
EmployeeSo what does the cURL output look like if you don't include credentials?
Otherwise it's going to need troubleshooting inside the decrypted monitor traffic.
EmployeeSo if you add the following as a receive string does it work?
HTTP/1.1 401 Unauthorized
Ultimately I don't think you want to rely on a 401 to know if the server is up, so I'd press forward to be able to look at decrypted monitor traffic.