Forum Discussion

paul_125686's avatar
paul_125686
Icon for Nimbostratus rankNimbostratus
Dec 16, 2013

Health Monitor with NTLM authentication - iApp generated vs Custom built

I have been working on creating a Health Monitor for SharePoint which uses NTLM authentication. I basically mirrored an existing HTTPS Health Monitor that the Exchange 2010 iApp generated and then adjusted for the SharePoint application. After hours of troubleshooting it was determined that I can't specify "domain\username" in the username field and I needed to remove the trailing "/r/n" on the send string.

 

I have seen other forum topics regarding this but can someone explain why the Exchange 2010 iApp monitor generated\included both "domain\username", as well as, the trailing "/r/n" and it works.

 

I ran the iApp generated monitor from the CLI using cUrl and I didn't specify username and password. The receive string that the iApp expected "OutlookSession=" is returned.

 

Is the Exchange monitor somehow not using the "domain/username" account and was just placed there by the iApp template?

 

iApp generated: ltm monitor https exchange_2010.app/exchange_2010_testmail_owa_https_monitor { app-service /Common/exchange_2010.app/exchange_2010 cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from https destination : interval 30 password pswd-removed recv OutlookSession= send "GET /owa/auth/logon.aspx\?url=https://removed/owa/&reason=0 HTTP/1.1\r\nUser-Agent: Mozilla/4.0\r\nHost: host-removed\r\n" time-until-up 0 timeout 91 username domain-removed\user-removed

 

Custom Built: ltm monitor https sharepoint_2010_https_monitor { cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from https destination : interval 30 password pswd-removed recv "Home" send "GET /removed HTTP/1.1\r\nUser-Agent: Mozilla/4.0\r\nHost: host-removed" time-until-up 0 timeout 91 username user-removed

 

I also have a TAC case on this topic as well.

 

  • Hi Paul, which version of BIG-IP are you running? The SharePoint iApp that ships with v11.4 includes an option to use NTLM for the health monitor. An RC version of this iApp is also avaialble for pre-11.4 BIG-IP.

     

    The OWA monitor is actually not logging on to OWA; rather, it's checking that it can access the logon.aspx page, which is set to anonymous access by default. That's probably why it doesn't matter when you change the CR/LF in the send string.

     

    Mike

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account

    You can find a version of the template that uses NTLM here: https://devcentral.f5.com/wiki/iApp.Microsoft-SharePoint-2013-iApp-Template.ashx

     

  • Hi Mike,

     

    Thanks for the response. We are running 11.3 HF5. I used the Sharepoint iApp that was on the system but it never asked for username or password as part of the template. I used a similar monitor (Exchange 2010 iApp generated) which I assumed was using the fields populated in the username field (domain\username)". Based on the cUrl test I see it doesn't need username at all for the monitor to get the expected response.

     

    I guess the template just populated the fields even though it doesn't require them.

     

    Thanks again.

     

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account

    Hi Paul, which version of BIG-IP are you running? The SharePoint iApp that ships with v11.4 includes an option to use NTLM for the health monitor. An RC version of this iApp is also avaialble for pre-11.4 BIG-IP.

     

    The OWA monitor is actually not logging on to OWA; rather, it's checking that it can access the logon.aspx page, which is set to anonymous access by default. That's probably why it doesn't matter when you change the CR/LF in the send string.

     

    Mike