Forum Discussion

clazba's avatar
Icon for Nimbostratus rankNimbostratus
Feb 02, 2012

EAV Moinitor fails with NTLMv2

Hi Guys,




I am looking at an EAV monitor that uses curl with ntlm authentication to probe an II6 server , worked fine for ages but now that the AD group sec policy has enforced ntlmv2 for Integrated Authentication the monitor fails with a 500 error:




GET /nna/?orig_uri=/xxxx/secure/xxxxxx/homepage/intranetheartbeat HTTP/1.1




User-Agent: curl/7.10.6 (i686-redhat-linux-gnu) libcurl/7.10.6 OpenSSL/0.9.7l ipv6 zlib/1.1.4


Pragma: no-cache


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*






HTTP/1.1 500 Internal Server Error


Content-Length: 100


Content-Type: text/html


Server: Microsoft-IIS/6.0


X-Powered-By: ASP.NET


Date: Mon, 30 Jan 2012 09:44:05 GMT


Connection: close




ErrorThe function requested is not supported




I have checked the IIS6 servers and the key below confirms that the servers are now using NTLMv2 and 128-bit encryption




(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec = 0x20080030)




I am pretty sure that the monitor is failing because libcurl that ships with 9.3.1 doesn't support ntlmv2, but as far as i know neither do the latest version of libcurl ?!?




So my questions is: How do you do write an EAV monitor that supports ntlmv2 in 9.3.1 and/or any other version? Is EAV the right way to go about it or is there another/better way to do it?




Thoughts appreciated.











6 Replies

  • Hi Claud,



    I couldn't find any indications that any version of Curl supports NTLMv2. Short of disabling NTLMv2 on the server I'm not sure what type of client you could use from LTM for an external monitor. Maybe you could monitor the state of the service on the server using instead of authenticating and making a request to it directly.



    Using wmic to monitor Windows services




  • clazba's avatar
    Icon for Nimbostratus rankNimbostratus
    Hey Aaron,



    Thanks for looking into that.



    Yes, I had thought about wmic, I have used it before to monitor the Exchange RPC service, but I think in this case the customer needs to validate specific content returned by the web app.



    I started a looking at this post earlier on ( which looks interesting, i'll give it a shot tomorrow and see if I manage to end up with a working binary - Ill post back the results here if I get anywhere with it.











  • That seems feasible. It would also help to open an RFE case requesting native NTLMv2 support for monitors.



  • Hey Claud,



    A little birdie told me that native HTTP/S monitors in v11.1 already support NTLM and NTLMv2:






    NTLM Authentication Support for HTTP/HTTPS Monitors


    For an HTTP/HTTPS monitor to successfully use NTLM authentication, a monitor must meet the following configuration requirements:



    * The monitor must have a send string. Because it is necessary to use HTTP version 1.1, the send string must be, at minimum: "GET / HTTP/1.1\r\nHost: "


    * The monitor must have a receive string.


    * The monitor cannot be a reverse monitor.


    * The monitor must have a username. The user name may be either a simple username or it can be the domain/username. Both '\' and '/' are recognized.


    * The monitor must have a password.



    Once this monitor is associated with a pool or pool member, it only enacts NTLM if the request with Basic Auth gets a 401 response with a WWW-Authenticate header set to NTLM. At this point the NTLM handshake should commence. Here is an example monitor: ltm monitor http /Common/http_testauth { defaults-from /Common/http destination *:* interval 5 password default recv Microsoft-IIS/7 send "GET / HTTP/1.1\\r\\nHost:" time-until-up 0 timeout 16 username AUTHTEST/administrator }




  • clazba's avatar
    Icon for Nimbostratus rankNimbostratus
    Thanks for that Aaron, that's really useful information. I doubt the customer would be willing to consider 11.1 as yet but it certainly allows me to add that to the list of potential workarounds moving forward.