Monitor URL transactions

[westernuniv]

I’m using the following command to verify the ADFS login,

Code: Select all

./check_http -H <adfs-servername> -f follow -I <server-ip> -u '/adfs/ls/IdpInitiatedSignon.aspx' -S --sni -a <userid>:<pwd> -s "Sign Out" -p 443
HTTP OK: HTTP/1.1 200 OK - 12182 bytes in 0.145 second response time |time=0.144998s;;;0.000000 size=12182B;;;0

If I gave the wrong credentials, I’m getting the same output. Then I have checked the access logs on the ADFS server, which showed the check actually doing the HTTP GET, not parsing the userid:pwd

Code: Select all

Nov 25 16:11:08 adfs-server MSWinEventLog|1|Security|37716|Tue Nov 25 16:11:07 2014|403|AD FS Auditing|UWO\SVC.ADFS|N/A|Success Audit|ADFS-server|None||An HTTP request was received.     Activity ID: 00000000-0000-0000-c804-0080010000f7     Request Details:       Date And Time: 2014-11-25 21:11:07       Client IP: x.x.x.x       HTTP Method: GET       Url Absolute Path: /adfs/ls/IdpInitiatedSignon.aspx       Query string: -       Local Port: 443       Local IP: x.x.x.x       User Agent: check_http/v2.0.2 (nagios-plugins 2.0.2)       Content Length: 0       Caller Identity: -       Certificate Identity (if any): -       Targeted relying party: -       Through proxy: True       Proxy DNS name: WAP2|37279

Here I'm checking the login of the SSO page straightaway without any redirection.

Thanks

[sreinhardt]

Does this page use ntlm to authenticate instead of basic auth? If so, check_http will not work presently, as it does not have support for ntlm authentication.

[westernuniv]

Yes it is. In that case, is there any other plugin that I can use?

Thanks

[abrist]

You might want to look at the exchange for options:
http://exchange.nagios.org/directory/Pl ... LM/details
http://exchange.nagios.org/index.php?op ... hword=ntlm
Or:
https://labs.consol.de/nagios/check_webinject/

[westernuniv]

Sorry I’m wrong. AD FS is using the standards based WS-Federation protocol and Security Assertion Markup Language (SAML). Is there any plugin supports that?

I’ve tried check_form.pl
./check_form.pl -u "https://<server-name>/adfs/ls/IdpInitiatedSignon.aspx" -f "userName=xxxx&password=zzzzz" e "Sign Out" -c 10 -w 3 -d -v
500 SSL negotiation failed:
HTTPFORM CRITICAL: failed to retrieve expect string|time=0.090801s;3;10;0;10

One thing I noticed that when I do the simple URL check of the web server using check_http, I need to use “—sni” switch to make it work.
./check_http -H <adfs-servername> -f follow -I <server-ip> -u '/adfs/ls/IdpInitiatedSignon.aspx' -S –sni
If I don’t use it, I’m getting “CRITICAL - Cannot make SSL connection.”

Could it be check_from.pl is lacking with "--sni" support?

Thanks

[sreinhardt]

It is certainly possible, but really depends on if that plugin uses internal perl functions or leverages something like curl or wget as those both support aspx pages. As for other plugins that support these authentication schemes, honestly I am unsure, but we can definitely take a look and get back to you!

[westernuniv]

Any luck on finding something that works?

Thanks

[abrist]

Could it be check_from.pl is lacking with "--sni" support?

I believe so.

Any luck on finding something that works?

Not as of yet, though I will try to bring Spenser into this tomorrow.