SCOM 2012 - How to create a Web Application Monitor for an application requiring authentication

Question

_{Tuesday, June 5, 2012 11:14 AM}

Hi all,

It looks like starting with SCOM 2012 there are two ways to monitor a web application (URL monitoring):

• The OLD way (Using the Web Application Transaction Monitoring template)
• The NEW way (Using the Web Application Availability Monitoring template)

And, it looks like it is recommended to use the new way, because it is the agent who performs the url request, instead of being done right from the RMS.

I haven't found any problem creating a web application monitor using the new template, except for the fact that our watched web applications use authentication (NTLM - Basic and Kerberos). So, all the requests return an HTTP code 401 (Unauthorized) as expected. however I have not found the way to configure the credentials used for the monitor to do the checks (maybe it is the default action account?), or how to bypass the 401 code and get the server to return the content AFTER authentication.

I have searched a lot on the TechNet library but all articles refer to unauthenticated sites.

I know that the OLD way had a configuration setting to input credentials, but I'd like to stick to the new method, if possible.

Does anyone know how to successfully monitor an URL requiring authentication on SCOM 2012 using the Web Application Availability Monitoring Template? or, at least, using no matter which method?

Thanks!!

All replies (13)

_{Tuesday, June 12, 2012 8:49 AM ✅Answered | 3 votes}

Hello Roberto,

I think ths following article can just help you:

Web Application Monitoring with System Center Operations Manager
http://sharepointnotes.wordpress.com/2008/03/17/web-application-monitoring-with-system-center-operations-manager/

If the Web Application requires credentials to be displayed, here is how to configure it:

1. Log on to the computer with an account that is a member of the Operations Manager Authors role for the Operations Manager 2007 Management Group
2. In the Operations Console, click the Authoring button
3. Expand Management Pack Templates and click Web Application and select Web Application Monitor that should be modified
4. In the Actions pane on the right side, select Edit web application settings
5. On the Web Application Editor page click Configure settings
6. In the Select Authentication Settings select the same Authentication Methodas is being used by the Web Application you’re monitoring. For SharePoint sites using Active Directory this is normally NTLM
7. Set the User Account to one of you previously defined Run As Accounts and click OK and Apply
   If you haven’t yet defined an account to test your Web Site, you can create one in the Administration part of the Operations Console. The accounts are defined in the Security section
8. That’s it. The web site is now being monitored using the credentials defined for the Run As Account

Thanks,

Yog Li

TechNet Community Support

_{Wednesday, June 27, 2012 1:21 PM ✅Answered | 5 votes}

I got it to work using Web Application Transaction Monitoring. What wasn't clear is that you have to create the Web Application Transaction Monitor then go into that specific monitor and edit the Web Application properties. I've attached a screenshot that shows how you do this.

_{Wednesday, June 13, 2012 5:19 AM | 2 votes}

Hi Yog,

Thanks for your answer. However, you're proposing to use the "old" way (in fact, in SCOM 2012 authoring section there's no Management Pack Templates > Web Application (instead, there are two options: Application Availability monitoring and Application Transaction Monitoring).

So, my question is, having in account  these differences, how can I use the new method (that allows to check the response time from different locations) to "ping" a web server that requests authentication.

Anyhow, thanks for your interest in answering!.

Regards

Roberto

_{Tuesday, June 26, 2012 5:39 PM}

Roberto,

What version of SCOM are you using? We are using 7.0.8560.0 and it shows, "Web Application Availability Monitoring" and "Web Application Transaction Monitoring." I am trying to set this up too so I will post back if Yog Li's information is correct.

EDIT: I am getting the same error as you Roberto. There is no way to put in credentials to monitor applications that require authentication that I can see.

_{Tuesday, June 26, 2012 6:30 PM}

Hi

They are not really an "old" way and a "new" way - they are 2 different ways of monitoring:

http://technet.microsoft.com/en-us/library/hh457553

Cheers

Graham

Regards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk
View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

_{Tuesday, June 26, 2012 7:00 PM}

I still receive a 401 error when using Web Application Transaction Monitoring. I need to be able to test against authentication.

_{Tuesday, June 26, 2012 7:07 PM | 1 vote}

Have you followed the steps in the links I gave from your other post? These might also help.

http://technet.microsoft.com/en-us/library/hh457542

http://technet.microsoft.com/en-us/library/hh457597.aspx

Regards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk
View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

_{Wednesday, June 27, 2012 5:29 AM}

Hi hhancock,

We're using also 7.0.8560.0. As far as we have arrived:

As Graham said, there is not an old and new ways, in fact old meant "existing already in SCOM 2007 R2" and "new" meant "new in SCOM 2012".

Looks like only with the Web Application Transaction is quite more complex as it allows you to record a whole transaction to your particular application. It should allow you to manage any kind of http response from the server. However, tests are performerd internally so the network details are lost in translation.

Web Application Availability Monitoring, on the other hand, seems to be quite lighter as you can just specify one or more URL and not whole conversations. The benefits are that you can run the tests from any machine with an agent installed, thus the tests are quite more realistic as they mimic a real client request. However, we have not found the way to specify authentication information in the request so it is only useful on non-authenticated sites.

Using common sense, an **http ping **is not be very useful on an enterprise intranet environment if you cannot handle authentication, so I guess this option is only meant for internet or non-authenticated applications. doh.

Regards

_{Wednesday, June 27, 2012 7:24 AM}

The web application availability monitoring allows you to plug into what is now known as "Global Service Monitoring" - this is the way things are heading with the next version of SCOM:

http://blogs.technet.com/b/momteam/archive/2012/06/19/global-service-monitor-for-system-center-2012-observing-application-availability-from-an-outside-in-perspective.aspx

The link that Yogi giives - http://sharepointnotes.wordpress.com/2008/03/17/web-application-monitoring-with-system-center-operations-manager/ - runs through using Web Application Transaction Monitoring and configuring authentication although the name has changed from Web Application in the Authoring, Management Pack templates list.

The APM monitoring gives a "from the inside" view of both server side and client side activity of a .Net Application:

http://blogs.technet.com/b/server-cloud/archive/2011/11/11/application-performance-monitoring-with-operations-manager-2012.aspx

Cheers

Graham

Regards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk
View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

_{Wednesday, June 27, 2012 1:24 PM}

Hi

You don't have to create the monitor first - when running through the wizard, When you get to the Summary page, you'll see a checkbox at the bottom of the screen for "Configure Advance Montoring or record a browser session". You need to check that box which will bring up thw web application editor for you to do the advanced configuration.

Cheers

Graham

Regards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk
View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

_{Wednesday, June 27, 2012 2:01 PM}

Graham,

Well, checking that box simply takes you to the "Web Application Settings" page AFTER the monitor has been created. The wizard doesn't explicty allow you to adjust authentication while creating the monitor.

_{Friday, May 10, 2013 4:58 PM}

It looks like new Web Application Availability Monitoring uses the Action Account of the system that is monitoring the web application. I have a monitor setup using one of my Management Servers, with an Action Account configured with a domain user account. The site I am monitoring requires Windows authentication. When the management server hits the site, I can see in the IIS logs that it is using the Action Account (domain user account) to authenticate, which I granted permissions to the site.

UPDATE: Now I am not so sure about this. I tried to add another monitoring agent (Management Server) to a web application, but it isn't not behaving the same as the management server that is working. The second server is not sending the Default Action Account credentials. It is only trying to anonymous on the website, which is failing. I am using the same Action Account on the second management server as the first. The account has all of the necessary permissions on the management server and target web site.

_{Friday, September 20, 2013 8:58 AM}

Hi Graham,

We have configured URL monitoring using web transaction monitoring template, this is mainly to monitoring the URL availability. I have used this since it requires access privileges and I have set Run as account for authentication.

We are unable to get the notifications for the same when the URL is down.

Can you please help us with this ?

Regards,