We have an application where it is enabled with Windows Authentication where it has Negotiate and NTLM in the provider module. It seems that Jmeter is preferring to send the request using the Negotiate and is failing whereas when tried from LoadRunner, we see that it is always sending as NTLM and it passes from there.
Has anyone come across this kind of situation? If yes, how can we force Jmeter to use NTLM authentcation rather than Negotiate?
Thanks for help.
JMeter doesn't "prefer" anything, it depends on the HTTP Authorization Manager configuration which you have to perform.
Your test should implement real user behavior, not LoadRunner behaviour, if real browser performs Kerberos authentication - you need to do this and vice versa.
To force JMeter to use NTLM just make sure not to select KERBEROS mechanism, use BASIC_DIGEST.
Check out Windows Authentication with Apache JMeter article for more details if needed.
Related
general questions about the using of *fail_if_no_peer_cert *and *fail_if_no_peer_cert *params in *rabbitmq_management *on windows
if a client calls management API through https, the requests are secured by the certificate which is installed on the server and trusted on the client. actually, it means, this certificate shouldn't be rabbitmq compatible, it can be just http-certificate... is it correct?
in case i want to validate clients as well, i must have these params verify and true? what is the best practice? because i see these params explained in AMPQ settings and never in management
actually my motivation for this questions is just to understand if i need to deal with this issue at all. because setting *fail_if_no_peer_cert *as true makes a lot of things much more complicated. foe example you just can simply open management api plugin in browser, you need deal with client certificate.
enter image description here
How can I apply the SSL verification disable process that I performed in Postman in Jmeter?
As per JMeter Documentation:
The JMeter HTTP samplers are configured to accept all certificates, whether trusted or not, regardless of validity periods, etc. This is to allow the maximum flexibility in testing servers.
So SSL verification is "disabled" in JMeter by default and by design, there is nothing you need/can do about it.
The funny thing is that there is no easy way to enable it, if you need to test SSL handshake or want JMeter to fail if the SSL connection is not secure - you will have to write the code for establishing the connection using JSR223 Samplers and Groovy language.
Update your jmeter.properties that is read when jmeter starts up, add the following:
server.rmi.ssl.disable=true
New to Jmeter so I am not sure if my set-up is correct.
Basically I have these set of API's that I need to Perf test. Starting with a setting up a basic connection from Jmeter - I am receiving 1020 error from cloudflare
Access denied | "domain" used Cloudflare to restrict access
and
<div class="cf-alert cf-alert-error cf-cookie-error hidden" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div>
It works with POSTMAN. So wondering what changes I'll need in jmeter.
I have enabled save cookie in jmeter.properties file
API is for logging into a portal: verified username/password. VPN connection verified as this works from postman.
If you're absolutely sure that the request works in postman (although I'm getting this 1020 error even with the real browser) you should be able to get the same behavior in JMeter as well, just make sure to send the identical request (pay attention to HTTP Headers as well)
The easiest is just recording your Postman request using JMeter's HTTP(S) Test Script Recorder, just configure Postman to use JMeter as the proxy
and run your request - JMeter will generate appropriate HTTP Request sampler and HTTP Header Manager
If you need to use VPN for proper access you might need to configure source IP address at the "Advanced" tab of the HTTP Request sampler like it's described in Using IP Spoofing to Simulate Requests from Different IP Addresses with JMeter article
In any case load testing an API behind Cloudflare might be not the best idea as Cloudflare provides DDoS protection and may (and will) block this type of traffic so you need to either whitelist your IP address(es) or let them know about your load testing activities, I believe they will be able to suggest a better workaround than anyone here
This is related with the securities features of CloudFare, either DDos protection or bot blocking. Exceptions can be configured from the CloudFare control panel.
If you don't have access to this panel you'll have to ask the corresponding person inside your company tasked with this job.
Everywhere I look I see that jmeter turns off certificate verification by default.
Its documentatoin says "The JMeter HTTP samplers are configured to accept all certificates, whether trusted or not, regardless of validity periods, etc. This is to allow the maximum flexibility in testing servers."
Is this a configuration option, or there is no way to configure it?
I would like to have jmeter to verify the certificate, as part of the test. I have tried example in this answer, however it didn't fit our needs
Thanks
There is no "switch" to enable/disable the SSL verification in JMeter, you will have to patch LazyLayeredConnectionSocketFactory.checkAndInit() function in order to enable certificate checking functionality.
Once done you will need to build JMeter
As a workaround you can utilize Apache HttpComponents and define your requests via Java Request or JUnit Request or JSR223 Sampler
I am recentlly finding a solution of Web Security, As far as i known the HTTPS will bring more security web, but i found another Security solution of JOSE(JWT&JWE) so i want to known, i use it in the future, can i just use HTTP only but without HTTPS ?
Kris.
Thanks
Your question is legit to me and I am sorry to see that you received downvotes.
As far as i known the HTTPS will bring more security web, but i found another Security solution of JOSE(JWT&JWE)
I think there is a confusion between the both technologies.
JWE is just a format that represents content using JSON based data structures and that provides integrity protection and encryption whereas HTTPS is a secured layer for the HTTP communication protocol.
JWE is not a replacement to the HTTPS protocol.
The use of one technology, the other one or both of them only depends on your application context. HTTPS may not be absolutely necessary in some contexts and the secured communication provided by other means.
You mentioned that you want to find a solution for a security application. A secured connection should be always used in that context.
You absolutely need HTTPS even if you are using JWTs and JWEs. HTTPS allows your client to verify that they are talking to the server they are expecting to talk to. It also protects the content of the communication, including the JWT/JWE tokens that you are using. Without HTTPS, anybody who can listen to the communication between your client and your server can impersonate your clients.
JWTs in particular can carry information about your user. You may not need to forward it to the authorization server that granted the token (if you are using an asymmetric signing key) and still have enough information about the identity and permissions of your user to grant or deny them access to the resources that you are protecting.