Supported authentication methods in Synthetic Monitoring
Dynatrace Synthetic Monitoring offers various methods for monitoring web applications or API endpoints that require authentication. Read on for an overview of the most common scenarios and the appropriate methods to use.
Browser monitors
The web form (HTML-based), HTTP authentication, or certificate authentication methods are supported for single-URL browser monitors and browser clickpaths.
Web form (HTML-based) authentication for web applications
The most common scenario is a webpage with web form (HTML-based) authentication, which requires you to enter a username and password.
Basic, digest, NTLM, or Negotiate (Kerberos) authentication for web applications
If you need to monitor a page with a browser-native dialog box (that's not part of the web application) to authenticate (as in the image below), it's likely that the basic, digest, NTLM, or Negotiate authentication methods are used in the background.
Negotiate (Kerberos) is officially supported only on Windows systems. Each Windows machine using Kerberos has to be properly configured with Active Directory.
An additional configuration is needed for UNIX and Linux systems. For details, see Kerberos Authentication Support for Unix and Linux.
In case you are unable to authenticate with Kerberos on Windows, use the below command to register the machine.
ksetup /addkdc DOMANIN.TO.ADD address.of.kerberos.server
The DOMANIN.TO.ADD
is your domain name and address.of.kerberos.server
is the Kerberos Key distribution server (Active Directory Controller if you're using a Microsoft solution). Note that in the credentials used, the domain name must be in upper-case letters (for example, user@DOMAIN.NAME).
Supported username formats
- Browser monitors:
<username>
and<domain>\<username>
- HTTP monitors:
<username>
- NTLM authentication in browser and HTTP monitors:
<username>
Client certificate authentication for web applications
Certificate authentication is available for browser monitors executed from any public location and on Linux-based private locations. Once you set up your browser monitor, you need to specify client certificate details in the Advanced setup tab of monitor settings in edit mode.
Next, in edit mode, add client certificates for for browser monitor execution.
-
Select the Advanced setup tab in browser monitor settings.
-
Turn on Use client certificates.
-
Select Add client certificate.
-
Enter the Domain that the certificate is valid for.
-
Select a credential from the list of certificate credentials displayed. Alternatively, select Create new credential to upload and use a new client certificate. Any certificate credential you create is automatically designated as owner only and stored in the credential vault.
You can specify and upload certificate files in PFX, P12, or PEM format.
-
Select Add entry.
-
Repeat these steps to add multiple certificates for use in your clickpath. However, each certificate must be tied to a single domain.
-
Save changes.
HTTP monitors
HTTP monitors support basic, NTLM, token, OAuth 2.0, or certificate-based authentication.
Basic or NTLM authentication for endpoints
-
Go to Synthetic Classic > Create a synthetic monitor > Create an HTTP monitor.
-
Select Add HTTP request and choose the HTTP request type.
-
In the Additional options of the request, Set authentication/authorization.
-
Select Basic authentication or NTLM.
-
Either use an existing credential from the credential vault (Select credentials) or Create new credentials.
Dynatrace automatically generates the required
Authorization
header with the information you've provided.Supported username formats
- Browser monitors:
<username>
and<domain>\<username>
- HTTP monitors:
<username>
- NTLM authentication in browser and HTTP monitors:
<username>
- Browser monitors:
-
Finish configuring your HTTP monitor.
Bearer or token authentication for endpoints
-
Go to Synthetic Classic > Create a synthetic monitor > Create an HTTP monitor.
-
Select Add HTTP request and choose the HTTP request type.
-
In the Additional options of the request, Set additional HTTP headers.
-
Select Add header.
-
Fill out the header, for example, set:
Header name =
Authorization
Header value =
Bearer <your-token>
or
Header name =
Authorization
Header value =
Api-Token <your-token>
-
Finish configuring your HTTP monitor.
OAuth 2.0 authorization for endpoints
OAuth 2.0 authorization is available for HTTP monitors and is most commonly used when querying API endpoints. Dynatrace provides the OAuth2 authorization request type, which is a specialized HTTP request template for OAuth 2.0 authorization requests.
You first need to set up an OAuth 2.0 request for an access token, which you then use in all subsequent HTTP requests in your monitor that queries the API endpoint. The returned token is not stored to the credential vault, but it's easily accessible as an autocomplete option in your subsequent HTTP requests.
- Go to Synthetic Classic > Create a synthetic monitor > Create an HTTP monitor and provide a Name.
- Select Add HTTP request and choose the OAth2 authorization request type.
- Enter the URL from which you're requesting an authorization token (Access token URL) and request Name.
- Select Add HTTP request to view expanded request settings. Note that the OAuth 2.0 request is automatically created as a
POST
request. - Fill out or edit these important settings in the request details.
-
Depending on how your authentication server is set up, opt to Add authorization data to the Request body or Request URL. Fill out the POST parameters (
grant_Type
,scope
,client_id
,username
, andpassword
) in the Request body or Request URL. You can add or modify parameters as needed. -
A post-execution script is automatically enabled, where:
- The request fails if the returned status code is not
200
. - The
api.fail()
method defines the Failure message that appears in case of failure in the Events card on the HTTP monitor details page and in execution details. - If the request is successful, the response body, which is a JSON-formatted string, is stored in a JavaScript object (called
bearToken-2
in this example). - The
api.info()
method sends information to a log file, which is accessible on private Synthetic locations.
Custom log messages also appear in the
customLogs
attribute in HTTP monitor execution details. - The request fails if the returned status code is not
-
Set token request authentication enables you to specify additional authentication details (Basic authentication, NTLM, or Kerberos) for the server that the OAuth application sits behind.
-
For subsequent HTTP requests
- Create an additional HTTP request for the endpoint you need to monitor (Add HTTP request).
- In the Additional options of the second request:
-
Enable Set authentication/authorization and select the OAuth2 method. Note that this option is only available if you've first created an OAuth 2.0 authorization request (described above).
An autogenerated pre-execution script referencing the OAuth token received in the request created above is displayed.
-
As an alternative, set an HTTP
Authorization
header with the JavaScript object containing the OAuth token as the Header value.
-
- Finish configuring your HTTP monitor.
Client certificate authentication for endpoints
- Go to Synthetic Classic > Create a synthetic monitor > Create an HTTP monitor and provide a Name.
- Select Add HTTP request and choose the HTTP request type.
- In the Additional options of the request, Add client certificate.
- Either use an existing certificate from the credential vault (Select credentials) or Create new credentials.
- Finish configuring your HTTP monitor.
To assure full mutual authentication, disable Accept any SSL certificate when using certificate authentication.