NTLM 401 unathorized

[ahoward12]

Hey Gents, I am trying to authenticate against Sharepoint 2013. We recently had it break and it would not have been surprised first thing in the office if had authentication tests....SO here we are. I have been working on this for a good while and I can't seem to find any real solution.

Here is what I get when I run the check command. I used fake credentials and domain but the results are the same no matter what. I have tried using a check_sharpoint.pl from Nagios Exchange but i have absolutely zero luck with that. If I can use the check_basicauth.pl it would be nice.
Any ideas, I can give any more information upon request.

Nagios XI 5.4.11
CentoOS 6.8
VMware

Code: Select all

[[email protected] ~]$ /usr/local/nagios/libexec/check_basicauth.pl -u thehive.domain.com -l domain\testuser -p 123456789 -e 'The Hive' -d -s
401 UNAUTHORIZED
401 Unauthorized
Date: Tue, 17 Apr 2018 13:59:43 GMT
Server: Microsoft-IIS/8.5
WWW-Authenticate: NTLM
Content-Length: 16
Content-Type: text/plain; charset=utf-8
Client-Date: Tue, 17 Apr 2018 13:59:44 GMT
Client-Peer: 10.10.100.23:80
Client-Response-Num: 1
MicrosoftSharePointTeamServices: 15.0.0.4569
Request-Id: 44615e9e-bcc5-b014-c41b-c7016c78230c
SPIisLatency: 0
SPRequestDuration: 3
SPRequestGuid: 44615e9e-bcc5-b014-c41b-c7016c78230c
X-Content-Type-Options: nosniff
X-FRAME-OPTIONS: SAMEORIGIN
X-MS-InvokeApp: 1; RequireReadOnly
X-Powered-By: ASP.NET

HTTPAUTH CRITICAL: authentication failed

[scottwilkerson]

I have n o experience with this plugin but most certainly the username would need to be quoted or escaped because the \ is going to be evaluated

Code: Select all

'domain\testuser'

but have you confirmed that check_basicauth.pl can check NTLM auth?

You may need to search for a plugin that specifically can do that

[ahoward12]

Thanks Scott. I tried your suggestion and while it also made sense to me. It didn't work. As well, no I have confirmation it will work at all. I have tried every single one off of exchange and neither of them get me close except for check_ntlmauth.pl which produces these results:

Code: Select all

[[email protected] ~]$ /usr/local/nagios/libexec/check_ntlmauth.pl -u thehive.domain.com/Pages/Home.aspx -l user -p pass123 -e 'The Hive' -d -s 
500 Can't connect to thehive.domain.com:443 (connect: Connection refused)

500 Can't connect to thehive.domain.com:443 (connect: Connection refused)
Content-Type: text/plain
Client-Date: Tue, 17 Apr 2018 16:15:54 GMT
Client-Warning: Internal response

HTTPAUTH CRITICAL: authentication failed

Now this is pretty obvious because I have no binding to 443 only 80. I have no idea how to change it to to use http. The script is below; you will find I have declared it to use port 80 where it was previously 443. However, it is still trying on port 443 SSL. I do not want to host the site on 443...

Code: Select all

#!/usr/bin/perl

#===================================================================================================================
#
#         FILE: check_ntlmauth.pl
#
#        USAGE: check_ntlmauth.pl -u <url> -l <username> -p <password> (-c <critical> -w <warning> -e <expect> -v)
#
#  DESCRIPTION: Authenticates against a web page using ntlm auth
#
#      OPTIONS: ---
# REQUIREMENTS: LWP::UserAgent, Authen::NTLM, LWP::Authen::Ntlm and Crypt::SSLeay if https support is required
#         BUGS: If the webpage is not using ntlm auth you may get false positives
#        NOTES: ---
#       AUTHOR: Tim Pretlove
#      VERSION: 0.6
#      CREATED: 16-06-2010
#     REVISION: ---
#      LICENCE: GNU
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
#===================================================================================================================

use strict;
use warnings;

use LWP::UserAgent;
use HTTP::Request::Common;
#use LWP::Debug qw(+);
use Getopt::Long;
use Time::HiRes qw(gettimeofday tv_interval);
use LWP::Authen::Ntlm;
use Authen::NTLM;
use lib "/usr/local/nagios/libexec";
use utils qw(%ERRORS);
my $domain = "cafaroco";

my ($status,$debug,$login,$crit,$warn,$ver,$expect,$url,$passwd);

GetOptions(
        'crtitical=s'   => \$crit,
        'warning=s'             => \$warn,
        debug                   => \$debug,
        status                  => \$status,
        verbose                 => \$ver,
        'url=s'                 => \$url,
        'login=s'               => \$login,
        'password=s'    => \$passwd,
        'expect=s'              => \$expect) or HELP_MESSAGE();


sub testauth {
    my ($status,$debug,$login,$crit,$warn,$ver,$expect,$url,$passwd) = @_;
    my $elapsed;
    my $startsec;
        my $ua = new LWP::UserAgent(keep_alive=>1);
    my $newlogin = $domain . '\\' . $login;
    $ua->credentials("$url:80", '',$newlogin, $passwd);
        $ua->cookie_jar ( {} );
        #$ua->requests_redirectable;
    my $timeout = $crit + 1;
    $ua->timeout($timeout);
        $startsec = [gettimeofday()];
        my $httpchk = substr $url, 0, 4;
        if ($httpchk ne "http") { $url = "https://" . $url } else {
        print "Please do not put a http:// or https:// prefix on the address\n";
        HELP_MESSAGE();
    }
        my $req = GET $url;
        print $req->content;
        my $response = $ua->request($req);
        $elapsed = tv_interval ($startsec, [gettimeofday]);
        if ($debug) {
                my $str = $response->content;
                print "$str\n";
        }
        if ($status) {
                my $str = $response->status_line;
                print "$str\n";
        print $response->headers()->as_string(), "\n";
        }

        if ($response->is_success) {
                if (defined $expect) {
                        my $str = $response->content;
                        if ($str !~ /$expect/) {
                                return (4,$elapsed);
                        }
                }
                if ((defined $crit) && (defined $warn)) {
                        if ($crit <= $elapsed) { return 3,$elapsed }
                        if ($warn <= $elapsed) { return 2,$elapsed }
                }
                return 0,$elapsed;
        } else { return 1,$elapsed }
}

sub HELP_MESSAGE {
        print "$0 -u <url> -l <username> -p <password> (-c <critical> -w <warning> -e <expect> -v)\n";
        print "\t -u <url> # url string to run basic auth against do not prefix with http or https\n";
        print "\t -l <username> # username to login with\n";
        print "\t -p <password> # password to login with\n";
        print "\t -c <seconds> # the number of seconds to wait before a going critical\n";
        print "\t -w <seconds> # the number of seconds to wait before a flagging a warning\n";
        print "\t -v # displays nagios performance information\n";
        print "\t -e <expect> # string to query on the authenticated page\n";
        print "\t -s prints status line (debugging info)\n";
        print "\t -d prints page contents (debugging info)\n";
        print "\t e.g $0 -u foobar.com -l testuser -p testpasswd -c 10 -w 3 -v -e \"Hello sweetie\"\n";
        exit 0;
}

sub checkopts {
    my ($status,$debug,$login,$crit,$warn,$ver,$expect,$url,$passwd) = @_;
        if ((!defined $url) || (!defined $login) || (!defined $passwd)) {
        print "Missing argument ";
        if (!defined $url) { print "-u <url>" }
        if (!defined $login) { print "-l <username> " }
        if (!defined $passwd) { print "-p <password>" }
        print "\n";
                HELP_MESSAGE();
                exit 4;
        }

        if ((defined $ver) && ((!defined $crit) || (!defined $warn))) {
                print "-v needs -c and -w values to be specified\n";
                HELP_MESSAGE();
                exit 4;
        }
        if (((defined $warn) && (!defined $crit)) || ((defined $crit) && (!defined $warn))) {
                print "Both -w and -c need to be specified\n";
                HELP_MESSAGE();
                exit 4;
        }
}
checkopts($status,$debug,$login,$crit,$warn,$ver,$expect,$url,$passwd);
my ($rc,$eltime) = testauth($status,$debug,$login,$crit,$warn,$ver,$expect,$url,$passwd);
my @mess = qw(OK CRITICAL WARNING CRITICAL CRITICAL);
my @mess2 = ("host authenticated successfully","authentication failed","is slow responding","host critical response time","failed to retrieve expect string");
print "HTTPAUTH $mess[$rc]: $mess2[$rc]";
if (defined $ver) {
        print "|time=$eltime" . "s;$warn;$crit;0;$crit";
}
print "\n";
exit $ERRORS{$mess[$rc]};

[scottwilkerson]

I think you would need to change this line

Code: Select all

if ($httpchk ne "http") { $url = "https://" . $url } else {

to this

Code: Select all

if ($httpchk ne "http") { $url = "http://" . $url } else {

because it is forcing the url to start with https

[ahoward12]

As always you were correct. I know little about perl but thankfully you do! You can close this thread. For educational purposes here is an example of the correct output (scrutinized):

Code: Select all

[[email protected] ~]$ /usr/local/nagios/libexec/check_ntlmauth.pl -u thehive.domain.com -l 'adminuser' -p 'pass123' -e 'The Hive' -s 
HTTPAUTH OK: host authenticated successfully

Here is with the '-s':

Code: Select all

[[email protected] ~]$ /usr/local/nagios/libexec/check_ntlmauth.pl -u thehive.domain.com -l 'adminuser' -p 'pass123' -e 'The Hive' -s 
200 OK
Cache-Control: private, max-age=0
Date: Tue, 17 Apr 2018 17:52:59 GMT
Server: Microsoft-IIS/8.5
Content-Length: 101597
Content-Type: text/html; charset=utf-8
Expires: Mon, 02 Apr 2018 17:52:59 GMT
Last-Modified: Tue, 17 Apr 2018 17:52:59 GMT
Client-Date: Tue, 17 Apr 2018 17:53:00 GMT
Client-Peer: 10.10.100.23:80
Client-Response-Num: 6
Link: </_layouts/15/images/favicon.ico?rev=23>; id="favicon"; rel="shortcut icon"; type="image/vnd.microsoft.icon"
Link: </Style%20Library/en-US/Themable/Core%20Styles/pagelayouts15.css>; rel="stylesheet"; type="text/css"
Link: </_layouts/15/1033/styles/Themable/corev15.css?rev=ox%2BqLd6WTqhn6d%2FMqf2BMw%3D%3D>; rel="stylesheet"; type="text/css"
Link: </_vti_bin/spsdisco.aspx>; rel="alternate"; type="text/xml"
Link: </Style%20Library/domain/domainSidebarCalendar.css>; rel="stylesheet"; type="text/css"
Link: <http://thehive.domain.com:80/Pages/home.aspx>; rel="canonical"
Link: </Style%20Library/domain/domainHome.css>; rel="stylesheet"; type="text/css"
MicrosoftSharePointTeamServices: 15.0.0.4569
Persistent-Auth: true
Request-Id: 9d6e5e9e-8cb2-b014-c41b-c47c8864fd90
Set-Cookie: http%3A%2F%2Fthehive%2Edomain%2Ecom%2FDiscovery=WorkspaceSiteName=VGhlIEhpdmU=&WorkspaceSiteUrl=aHR0cDovL3RoZWhpdmUuY2FmYXJvY28uY29t&WorkspaceSiteTime=MjAxOC0wNC0xN1QxNzo1Mjo1OQ==; expires=Thu, 17-May-2018 17:52:59 GMT; path=/_vti_bin/Discovery.asmx
SPIisLatency: 0
SPRequestDuration: 278
SPRequestGuid: 9d6e5e9e-8cb2-b014-c41b-c47c8864fd90
Title: Pages - The Hive
X-AspNet-Version: 4.0.30319
X-Content-Type-Options: nosniff
X-FRAME-OPTIONS: SAMEORIGIN
X-Meta-GENERATOR: Microsoft SharePoint
X-Meta-Msapplication-TileColor: #0072C6
X-Meta-Msapplication-TileImage: /_layouts/15/images/SharePointMetroAppTile.png
X-MS-InvokeApp: 1; RequireReadOnly
X-Powered-By: ASP.NET
X-SharePointHealthScore: 2
X-UA-Compatible: IE=10

HTTPAUTH OK: host authenticated successfully

[scottwilkerson]

YAY! I am so happy it worked.

Locking