Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Need to monitor web url configured with single sign on

https://support.nagios.com/forum/viewtopic.php?t=44651

Page 1 of 2

Need to monitor web url configured with single sign on

Posted: Thu Jul 13, 2017 8:27 am
by anish
Need to monitor web url configured with single sign on ( active directory authentication ) with Nagios XI..Please guide us.

We have tried default web URL monitoring option in configuration wizards but getting error as unauthorized.

Re: Need to monitor web url configured with single sign on

Posted: Thu Jul 13, 2017 9:12 am
by mcapra
It would really depend on the type of authentication the page is using. Saying it's "SSO" and "Active Directory" doesn't really tell us anything about how the page is going to actually handle the authentication step. There's lots and lots of different ways different applications verify credentials. Is it using basic authentication? Is there a form with fields that submits the values to some other place with a POST request?

If the authentication is handled via some sort of POST request, you can use check_http to pass POST variables to the destination page. From the man page for check_http:
https://nagios-plugins.org/doc/man/check_http.html
-P, --post=STRING
URL encoded http POST data
This documentation might be useful:
https://assets.nagios.com/downloads/nag ... ios-XI.pdf

If all else fails, you could probably use a Selenium setup to address this:
https://assets.nagios.com/downloads/nag ... ios-XI.pdf

Note that a Selenium setup would involve a separate system and you shouldn't install the Selenium RC server or any other related components on the Nagios XI machine.

Somewhat unrelated, but here's some threads you may find useful for Oracle and NTLM based SSO:
https://support.nagios.com/forum/viewto ... 8&p=180824
https://support.nagios.com/forum/viewto ... 2&p=180826

Re: Need to monitor web url configured with single sign on

Posted: Thu Jul 13, 2017 11:48 am
by tgriep
Thanks @mcapra for the help.

Re: Need to monitor web url configured with single sign on

Posted: Thu Jul 13, 2017 2:23 pm
by ssax
For checking NTLM websites you can use the attached plugin and use these commands to test it:

To just check NTLM authentication for an HTTP site:

Code: Select all

./check_ntlm_website.sh -u 'domain\username' -p 'password' -U 'http://X.X.X.X/path/to/your/page.whatever'

Code: Select all

[root@xidc73 libexec]# ./check_ntlm_website.sh -u 'contoso\ssax' -p 'xxXxxXxxXX' -U 'http://my.site.com/testing/page.aspx'
OK - Authenticated Successfully.

To just check NTLM authentication for an HTTPS site:

Code: Select all

./check_ntlm_website.sh -u 'domain\username' -p 'password' -U 'https://X.X.X.X/path/to/your/page.whatever'

Code: Select all

[root@xidc73 libexec]# ./check_ntlm_website.sh -u 'contoso\ssax' -p 'xxXxxXxxXX' -U 'https://my.site.com/testing/page.aspx'
OK - Authenticated Successfully.
To check NTLM authentication AND search the page for specific text you can use the -s option:

Code: Select all

./check_ntlm_website.sh -u 'domain\username' -p 'password' -U 'http://X.X.X.X/path/to/your/page.whatever' -s 'searchword'

Code: Select all

[root@xidc73 libexec]# ./check_ntlm_website.sh -u 'contoso\ssax' -p 'xxXxxXxxXX' -U 'https://my.site.com/testing/page.aspx' -s 'border'
OK - Authenticated Successfully - Search string 'border' found.

Thank you
check_ntlm_website.zip

Re: Need to monitor web url configured with single sign on

Posted: Wed Aug 09, 2017 7:56 am
by jkinning
I am looking to check a site using NTLM auth and was unable to get anything to work. I searched this forum and found this thread but the results are not correct. I am trying to check a URL satmr1t.domain.com/TT/sitestatus.aspx which is reading a database call and to verify things are working will display this on the page:
TT Site Status
SQL Check Fourteen: 14

So I need to use a service account in our AD, _satmr_t, to view the page and if 14 exists all is good with the world. If 14 doesn't appear then I need a critical response and notification should get dispatched. Again, I ran across this thread but the script doesn't appear to be working correctly. See below results.

Code: Select all

[nagios@nagiosserver libexec]$ ./check_ntlm_website.sh -u 'domain\_satmr_t' -p 'sp\!pru6h' -U 'satmr1t.domain.com/TT/sitestatus.aspx' -s '14'
OK - Authenticated Successfully.
Good

[nagios@nagiosserver libexec]$ ./check_ntlm_website.sh -u 'domain\_satmr_t' -p 'sp\!pru6h' -U 'satmr1t.domain.com/TT/sitestatus.aspx' -s '12'
OK - Authenticated Successfully.
Not good should be critical as 12 is not present.

[nagios@nagiosserver libexec]$ ./check_ntlm_website.sh -u 'domain\_satmr_t' -p 'sp!pru6h' -U 'satmr1t.domain.com/TT/sitestatus.aspx' -s '12'
OK - Authenticated Successfully.
Not OK, I removed the \ in front of the special character but 12 is on the page.

[nagios@nagiosserver libexec]$ ./check_ntlm_website.sh -u 'domain\_satmr_t' -p 'sp!pru6' -U 'satmr1t.domain.com/TT/sitestatus.aspx' -s '12'
OK - Authenticated Successfully.
Same as above

[nagios@nagiosserver libexec]$ ./check_ntlm_website.sh -u 'domain\_satmr_q' -p 'sp!pru6' -U 'satmr1t.domain.com/TT/sitestatus.aspx' -s '12'
OK - Authenticated Successfully.
Not OK, this user doesn't exist.
Am I using this correctly? I cannot get a critical on anything I try but everything is OK - Authenticated Successfully.


curl http://satmr1t.domain.com/TT/sitestatus.aspx -v
* About to connect() to satmr1tdomain.com port 80 (#0)
* Trying IP_of_website... connected
* Connected to satmr1t.domain.com (IP_of_website) port 80 (#0)
> GET /TT/sitestatus.aspx HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: satmr1t.domain.com
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html
< Server: Microsoft-IIS/7.5
< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
< WWW-Authenticate: Basic realm="satmr1t.domain.com"
< X-Powered-By: ASP.NET
< Date: Wed, 09 Aug 2017 13:11:52 GMT
< Content-Length: 1293
<
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
* Connection #0 to host satmr1t.domain.com left intact
* Closing connection #0

Re: Need to monitor web url configured with single sign on

Posted: Wed Aug 09, 2017 3:24 pm
by ssax
I apologize, there was a bug in the script, please try this updated version with more features and the fix:
check_ntlm_website.zip
Make sure to use the complete URL including http:// or https://, it now can check certificates as well:

Code: Select all

[root@server ~]# ./check_ntlm_website.sh -h

check_ntlm_website.sh Revision 1.0.1 - This plugin will check NTLM websites with curl.

Usage:
-u      NTLM User
-p      NTLM Pass
-U      URL
-s      Search String                                           (optional)
-C      Check Certificate                                       (optional)
-w      Warning Days for Certificate Check      (optional, default = 90, requires -C)
-c      Critical Days for Certificate Check     (optional, default = 30, requires -C)
-t      CURL Timeout in Seconds                         (optional, default = 10)
-v      Verbose
-h      Help Menu

Examples:

./check_ntlm_website.sh -u 'contoso.local\ssax' -p 'yourP@ss' -U 'https://X.X.X.X/test/index.html' -s 'searchstring'

This will connect to the website with the provided NTLM credentials and search the resulting output for the text 'teststring'.
More Examples:

To check and HTTP website with NTLM authentication:

Code: Select all

/usr/local/nagios/libexec/check_ntlm_website.sh -u 'contoso.local\ssax' -p 'yourP@ss' -U 'http://www.example.com/test/index.html'
For HTTPS just change the URL to use https instead of http in the command.

To check NTLM authentication AND search for a string in the page content:

Code: Select all

/usr/local/nagios/libexec/check_ntlm_website.sh -u 'contoso.local\ssax' -p 'yourP@ss' -U 'https://www.example.com/test/index.html' -s 'searchstring'
To check NTLM authentication AND check the SSL certificate:

Code: Select all

/usr/local/nagios/libexec/check_ntlm_website.sh -u 'contoso.local\ssax' -p 'yourP@ss' -U 'https://www.example.com/test/index.html' -C
The default is to warn at 90 and go critical at 30, if you'd like to adjust them you can:

Code: Select all

/usr/local/nagios/libexec/check_ntlm_website.sh -u 'contoso.local\ssax' -p 'yourP@ss' -U 'https://www.example.com/test/index.html' -C -w 180 -c 90
To check NTLM authentication, SSL Certificate, and search for a string in the page content:

Code: Select all

/usr/local/nagios/libexec/check_ntlm_website.sh -u 'contoso.local\ssax' -p 'yourP@ss' -U 'https://www.example.com/test/index.html' -C -s 'searchstring'

Also, you can pass the -v option to get verbose output for debugging.

Let us know if you have any issues.


Thank you

Re: Need to monitor web url configured with single sign on

Posted: Thu Aug 10, 2017 2:28 pm
by jkinning
I am just getting CRITICAL: Authentication Failed! - Search string '14' NOT found! now.

I'll PM you the verbose output.

Re: Need to monitor web url configured with single sign on

Posted: Thu Aug 10, 2017 2:36 pm
by ssax
Replied requesting a change in the command.

Re: Need to monitor web url configured with single sign on

Posted: Thu Aug 10, 2017 2:59 pm
by ssax
That was a bug, please try with this version (1.0.2):
check_ntlm_website.zip
Thank you

Re: Need to monitor web url configured with single sign on

Posted: Fri Aug 11, 2017 6:06 am
by jkinning
Excellent!! Looks like this script is working like designed now. I get a OK when the 14 is present and a Critical when I change it to 12 or some other value that is not 14.

Thanks a million for your script and assistance with this issue!
All times are UTC-05:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited