All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Website monitoring : user format for domain users

Esky73
Builder
2 weeks ago

what is the correct format for domain users please?

if i curl from a HF i get get the desired 200 response using :

curl -v http://mywebsite.com --ntlm -u username@mydomain.ad.ltd.com.au

If i use this format in the TA i see the error message in the logs asking for format in domain\\username

I have tried several connotations of mydomain\\username but have not been successful

what should be the format for this domain?

Or is the issue with --ntlm ? as if we use the --negotiate flag or remove --ntlm we get 401 ?

cheers

Labels (2)
0 Karma
Reply

Esky73
Builder
2 weeks ago

Retried with curl and the domain\\username format and got curl to work - but the repsponse is initially a 401 and then retries and is successful - the request goes through a load balancer 1st enroute to the webserver.

> curl http://mywebsite/healthcheck.aspx -v --ntlm -u DOMAIN\\username
Enter host password for user 'DOMAIN\username':
* Trying 1.1.1.1 ...
* TCP_NODELAY set
* Connected to myhost (1.1.1.1) port 80 (#0)
* Server auth using NTLM with user 'DOMAIN\username'
> GET /healthcheck.aspx HTTP/1.1
> Host: myhost
> Authorization: NTLM XXX
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html; charset=us-ascii
< Server: Microsoft-HTTPAPI/2.0
< WWW-Authenticate: NTLM XXX
< Date: Thu, 03 Jul 2025 01:07:05 GMT
< Content-Length: 341
<
* Ignoring the response-body
* Connection #0 to host myhost left intact
* Issue another request to this URL: 'http://myhost/healthcheck.aspx'
* Found bundle for host myhost: 0x55a8787a6a60 [can pipeline]
* Re-using existing connection! (#0) with host myhost
* Connected to myhost (1.1.1.1) port 80 (#0)
* Server auth using NTLM with user 'DOMAIN\username'
> GET /healthcheck.aspx HTTP/1.1
> Host: myhost
> Authorization: NTLM XXX
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: private
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/10.0
< X-AspNet-Version: 4.0.30319
< Persistent-Auth: true
< X-Powered-By: ASP.NET
< Date: Thu, 03 Jul 2025 01:07:05 GMT
< Content-Length: 557
<

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

 


<html>
<head>
<title>Health Check</title>
</head>

0 Karma
Reply

livehybrid
Super Champion
2 weeks ago

Hi @Esky73 

The app uses the HttpNtlmAuth/requests-ntlm library which as you've found does require the Username in 'domain\\username' format. There doesnt look to be a way around this.

It should be possible to authenticate using the domain\\username but the domain isnt always the first bit after the @ symbol in the full domain, e.g. it could by "mydomain", "mydomain.ad" or something completely different. Are you able to check with your AD team to see what this value should be?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...