Forum Discussion

RBS_79242's avatar
RBS_79242
Icon for Nimbostratus rankNimbostratus
Jan 30, 2014

HTTP Monitor with Authenticate NTLM failing

Hi,

I am finding that my http monitor is closing the connection after receiving the WWW-Authenticate: Negotiate directive.

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.2.1
  Build    807.0
  Edition  Hotfix HF1
  Date     Tue Oct  2 10:46:52 PDT 2012

Hotfix List
ID397981  ID395272  ID397435  ID397882

ltm monitor http crm-test.dev.internal_80_http_monitor {
    app-service /internal_nonprod/crm-test.dev.internal_80.app/crm-test.wd.govt.nz_80
    defaults-from /Common/http
    destination *:*
    interval 30
    partition internal_dev
    password secret
    recv "200 OK"
    send "GET /F5Dynamics/main.aspx HTTP/1.1\\r\\nUser-Agent: F5 Health-Check\\r\\nHost: crm-test.dev.internal\\r\\nAccept: */*"
    time-until-up 0
    timeout 91
    username svc_F5access@dev.internal
}

~  ssldump -AedaH -nni 0.0 host 10.106.0.15
New TCP connection 1: 10.228.128.10(32944) <-> 10.106.0.15(80)
1391050874.5897 (0.0026)  C>S
---------------------------------------------------------------
GET /F5Dynamics/main.aspx HTTP/1.1
User-Agent: F5 Health-Check/4.0
Host: crm-test.dev.internal
Accept: */*
Authorization: Basic c3ZjX0Y1YWNjZXNzQGRldi5hZC5pbnRlcm5hbDp1lkRW9OUVZqV3VCUHdwbnhPdHFPM0s=

---------------------------------------------------------------

1391050874.5927 (0.0030)  S>C
---------------------------------------------------------------
HTTP/1.1 401 Unauthorized
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/plain
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ReqClientId=6e803adf-3636-451b-9a6f-9550316e6f71; expires=Wed, 30-Jan-2064 03:01:14 GMT; path=/; HttpOnly
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Thu, 30 Jan 2014 03:01:14 GMT

31
HTTP Error 401 - Unauthorized: Access is denied

---------------------------------------------------------------

1391050874.5928 (0.0000)  S>C
---------------------------------------------------------------
0

---------------------------------------------------------------

This behavior is very different to that displayed in this post: https://devcentral.f5.com/questions?pid=8446

It seems that the F5 is ignoring the request to Authenticate and does not attempt to try the NTLM protocol after the IIS Server has responded with a auth failure.

Thanks.

availability
design
microsoft

10 Replies

Sort By
    • RBS_79242's avatar
      RBS_79242
      Icon for Nimbostratus rankNimbostratus
      Jan 30, 2014
      Hi, thanks for the reply. I have tried making the username "dev\\svc_F5access" the result is the same. I have also tried adding a "\r\n" to the send string. The result is the same in both cases. FWIW, curl works with both usernames using --any-auth and --ntlm
  • Oxenburger_1420's avatar
    Oxenburger_1420
    Icon for Nimbostratus rankNimbostratus
    Jan 30, 2014

    Hi,

     

    But have you tried removing the domain name?

     

    I had exactly the same problem last week see my post below. Mike solved this by asking me to remove the domain name from the username field.

     

    https://devcentral.f5.com/questions/custom-http-health-monitor-failing-when-using-ntlm-authentication

     

    Cheers,

     

    Dave

     

    • RBS_79242's avatar
      RBS_79242
      Icon for Nimbostratus rankNimbostratus
      Jan 30, 2014
      Thanks - I have tried removing the domain - this has not changed the situation. The F5 still fails to send NTLM auth headers after receiving the NEGOTIATE directive.
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jan 30, 2014

    RBS,

     

    Can you post the monitor string as it appears in the LTM GUI? Different versions of BIG-IP append \r\n differently when the monitor configuration is saved in tmsh.

     

    thanks

     

    • RBS_79242's avatar
      RBS_79242
      Icon for Nimbostratus rankNimbostratus
      Jan 30, 2014
      Hi, thanks for your reply. A TCPDUMP shows that a "\r\n" is being correctly inserted ONCE between the "Accept */*" and "Authorization" when the packet goes out on the wire. Here is an excerpt from a tcpdump -X 0x0090: 6f76 742e 6e7a 0d0a 4163 6365 7074 3a20 ovt.nz..Accept:. 0x00a0: 2a2f 2a0d 0a41 7574 686f 7269 7a61 7469 */*..Authorizati
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Jan 30, 2014

    You may want to open a case with F5 support on this. The only problems I've seen with NTLM HTTP monitors are with the username and line endings. Yours seem to be correct.

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jan 30, 2014

    You're missing a '\n' at the end of the send string (When using no auth, you need two of them. When you're using auth, you need two. But you have none after the 'Accept: /'

     

    H

     

  • RBS_79242's avatar
    RBS_79242
    Icon for Nimbostratus rankNimbostratus
    Jan 30, 2014

    Hi Hamish,

    When the HealthCheck is set to:

    send "GET /F5Dynamics/main.aspx HTTP/1.1\\r\\nUser-Agent: F5 Health-Check\\r\\nHost: crm-testdev.internal\\r\\nAccept: */*"

    TCPDump shows a single \r\n being inserted by the F5 HealthCheck.

        0x0080:  726d 2d74 6573 742e 6465 762e 696e 7465  rm-test.dev.inte
    0x0090:  726e 616c 0d0a 4163 6365 7074 3a20 2a2f  rnal..Accept:.*/
    0x00a0:  2a0d 0a41 7574 686f 7269 7a61 7469 6f6e  *..Authorization
    0x00b0:  3a20 4261 7369 6320 5a47 5632 5848 4e32  :.Basic.ZGV2XHN2

    When the Health Check is set to:

    send "GET /F5Dynamics/main.aspx HTTP/1.1\\r\\nUser-Agent: F5 Health-Check\\r\\nHost: crm-testdev.internal\\r\\nAccept: */*\\r\\n"

    tcpdump still shows a single \r\n being inserted

        0x0080:  726d 2d74 6573 742e 6465 762e 696e 7465  rm-test.dev.inte
    0x0090:  726e 616c 0d0a 4163 6365 7074 3a20 2a2f  rnal..Accept:.*/
    0x00a0:  2a0d 0a41 7574 686f 7269 7a61 7469 6f6e  *..Authorization
    0x00b0:  3a20 4261 7369 6320 5a47 5632 5848 4e32  :.Basic.ZGV2XHN2

    Now comes the interesting part! When the HealthCheck is set to:

      send "GET /F5Dynamics/main.aspx HTTP/1.1\\r\\nUser-Agent: F5 Health-Check\\r\\nHost: crm-test.dev.internal\\r\\nAccept: */*\\r\\n\\r\\n"

    TCPDump has this (which is not good)

        0x0080:  726d 2d74 6573 742e 6465 762e 696e 7465  rm-test.dev.inte
    0x0090:  726e 616c 0d0a 4163 6365 7074 3a20 2a2f  rnal..Accept:.*/
    0x00a0:  2a0d 0a0d 0a41 7574 686f 7269 7a61 7469  *....Authorizati
    0x00b0:  6f6e 3a20 4261 7369 6320 5a47 5632 5848  on:.Basic.ZGV2XH

    But now the F5 actually sends an NTLM Request! But the end node closes the connection because of the malformed HTTP Auth request. So SSLDump looks like this:

    New TCP connection 1: 10.228.128.10(55320) <-> 10.106.0.15(80)
1391124364.9248 (0.0036)  C>S
---------------------------------------------------------------
GET /F5Dynamics/main.aspx HTTP/1.1
User-Agent: F5 Health-Check
Host: crm-test.dev.internal
Accept: */*

Authorization: Basic ZGV2XHN2Y19GNWFjY2Vzczp1cmlkRW9OUVZqV3VCUHdwbnhPdHFPM0s=

---------------------------------------------------------------

1391124364.9306 (0.0057)  S>C
---------------------------------------------------------------
HTTP/1.1 401 Unauthorized
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/plain
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ReqClientId=1dac24c6-98a5-4649-bc8b-e036e08bfb54; expires=Wed, 30-Jan-2064 23:26:05 GMT; path=/; HttpOnly
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Thu, 30 Jan 2014 23:26:04 GMT

31
HTTP Error 401 - Unauthorized: Access is denied

---------------------------------------------------------------

1391124364.9306 (0.0000)  S>C
---------------------------------------------------------------
0

---------------------------------------------------------------

1391124364.9306 (0.0000)  S>C
---------------------------------------------------------------
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 30 Jan 2014 23:26:04 GMT
Connection: close
Content-Length: 326


Bad Request
 
Bad Request - Invalid Verb
HTTP Error 400. The request verb is invalid.

---------------------------------------------------------------

1    1391124364.9306 (0.0000)  S>C  TCP FIN
1391124364.9312 (0.0006)  C>S
---------------------------------------------------------------
GET /F5Dynamics/main.aspx HTTP/1.1
User-Agent: F5 Health-Check
Host: crm-test.dev.internal
Accept: */*


Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=

---------------------------------------------------------------

1    1391124364.9316 (0.0003)  C>S  TCP FIN

    So in conclusion behavior is the same for 0 or 1 trailing \r\n's when two \r\n's are set on the send string - the F5 actually tries to follow through with NTML Auth but the server disconnect because of the extra \r\n that is presented.

    • mikeshimkus_111's avatar
      mikeshimkus_111
      Historic F5 Account
      Jan 31, 2014
      One thing you could try is to modify the the authentication providers in IIS so that NTLM is first in the list, instead of Negotiate. We've seen OneConnect have issues with that in the past, maybe your monitor is as well? F5Dynamics is the name of your CRM deployment? That's also the example we give in the deployment guide. thanks