I am getting the below error in jmeter, how to resolve this.
WARN o.a.h.c.p.RequestTargetAuthentication: NEGOTIATE authentication
error: No valid credentials provided (Mechanism level: No valid
credentials provided (Mechanism level: Failed to find any Kerberos
tgt))
Steps I followed :
I am using Http authorization manager and provided all details like Base URL, user, password, domain, Mechanism (BASIC) , I have parameterized the test with different users login using HTTP auth manager.
My application used NTLM authentication, my test is running successful but I am getting above warning in log file.
How to resolve this ?
Related
I am trying to integrate a Shibboleth IDPV3.4.1 with my SP which is a server called as ClearPass. I am using the Linux platform of the Shibboleth IDP. I configured the relyingparty.xml, attribute-filter.xml, attribute-resolver.xml,ldap.properties, and also the and uploaded the metadata to the /metadata/sp-metadata.xml also updating the metadata-providers.
I am trying to use the password authentication flow with LDAP, however the issue is that I never get the login page when I initiate the SAML transaction from my SP. I get an error saying "Web Login Service -Stale Request". I have attached the screenshot of the error
Stale Request
I attempt to do a resolver test using the
http://shib.nslab.com:8080/idp/profile/admin/resolvertest?requester=https://chandracppm.nslab.com/networkservices/saml2/sp&principal=chandu
requester "https://chandracppm.nslab.com/networkservices/saml2/sp"
principal "chandu"
attributes
0
name "sAMAccountName"
values
0 "chandu"
and I get the attributes from AD in return, which shows the connection to AD is working.
However the authentication page does not appear from the IDP when I try to access the resource in my SP, I only get the Stale request Error.
The error that I see in the logs/idp-process.log is as follows
2018-12-10 19:26:08,222 - 10.23.20.81 - ERROR [org.opensaml.profile.action.impl.DecodeMessage:73] - Profile Action DecodeMessage: Unable to decode incoming request
org.opensaml.messaging.decoder.MessageDecodingException: Shibboleth Authentication Request message did not contain the providerId query parameter.
at net.shibboleth.idp.saml.profile.impl.BaseIdPInitiatedSSORequestMessageDecoder.getEntityId(BaseIdPInitiatedSSORequestMessageDecoder.java:128)
2018-12-10 19:26:08,223 - 10.23.20.81 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: UnableToDecode
2018-12-10 19:26:08,224 - 10.23.20.81 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:143] - No SAMLBindingContext or binding URI available, error must be handled locally
I am new to setting up Shibboleth IDP, not sure what I am missing.
Any inputs would be appreciated
Shibboleth fails to decode the message. This behavior is to be seen if the AuthnReq is being sent to POST endpoint instead of Redirect or vice versa or if any of both endpoints are not configured properly. On UI, the error you will notice for this is "StaleRequest". I got a similar error in idp-process.log file "org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the HTTP GET method". The issue is pertaining to incorrect or misconfigured endpoints.
I was able to get this working by installing an IDP docker image from here
https://docs.google.com/document/d/1qb5XTde1nulCdA_8QUei48CxDj0lQs7ShD622Ze_4II/edit
The authentication flow is working now
I have an access token with the necessary scope. I also successful access the resource server. The error occur when the resource server try to fetch the user Principal from the Authorization server. I really hope i can get some hints or help about how i can solve this
The access Token:
{"access_token":"65ce0f1a-192f-4ad2-b7bb-cb9c7cbf0be9","token_type":"bearer","refresh_token":"f1e2a49d-5b24-4e9c-b9da-567eb47d6ab7","expires_in":149,"scope":"read write trust"}
The resource server call:
curl -H "Authorization:Bearer 65ce0f1a-192f-4ad2-b7bb-cb9c7cbf0be9" http://localhost:9001/resource/hello
Resource server output after the call:
2016-10-10 10:10:06.144 INFO 411 --- [nio-9001-exec-5] o.s.b.a.s.o.r.UserInfoTokenServices : Getting user info from: http://localhost:9000/auth/user
The endpoint (localhost:9000/auth/user) get executed but i always get the following response to my curl request:
{"error":"insufficient_scope","error_description":"Insufficient scope for this resource","scope":"read"}
I resolved this by removing the user info uri from the resource server properties. Since I use a jdbc token store, the resource server can verify the authenticity of the token from the database and not relying on the auth server anymore.
I'm getting this error when I try and access my website:-
HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers.
Most likely causes:
• No authentication protocol (including anonymous) is selected in IIS.
• Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.
• Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.
• The Web server is not configured for anonymous access and a required authorization header was not received.
• The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access.
Things you can try:
• Verify the authentication setting for the resource and then try requesting the resource using that authentication method.
• Verify that the client browser supports Integrated authentication.
• Verify that the request is not going through a proxy when Integrated authentication is used.
• Verify that the user is not explicitly denied access in the "configuration/system.webServer/authorization" configuration section.
• Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here.
Detailed Error Information:
Module UrlAuthorizationModule
Notification AuthorizeRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x80070005
Physical Path D:\Logs
Logon Method Anonymous
Logon User Anonymous
More Information:
This error occurs when the WWW-Authenticate header sent to the Web server is not supported by the server configuration. Check the authentication method for the resource, and verify which authentication method the client used. The error occurs when the authentication methods are different. To determine which type of authentication the client is using, check the authentication settings for the client.
View more information »
Microsoft Knowledge Base Articles:
• 907273
• 253667
I have to use Anonymous authentication only, can anyone help please?
This unbelievably vague question and answer actually led me to the proper solution for the specific problem of HTTP 401.2 Unauthorized against an Anonymous Authentication resource in IIS. The "Authorization Rules" element within IIS allows a explicit Allow/Deny entries, with an explicit option for "All Anonymous Users." Specifying this solved an access problem I spent the better part of a day trying to resolve, and I thought I'd add the additional detail here.
For me, the solution was to go into IIS Manager, select the website, right-click on Authentication, select Open Feature, and then enable Anonymous Authentication.
This SO question has more possible solutions since it seems that there's a myriad of different reasons:- HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers
Ok, Finally i got solution to my problem.
'Authorization Rules' were not set up on system.
I setup required 'Authorization Rules' and able to browse site successfully.
I've downloaded the code from Spring's Get Started Guide - Accessing Twitter Data the https://spring.io/guides/gs/accessing-twitter/ .
I set up my credentials in application.properties and made no other changes. I run the app, and when it attempts to connect to Twitter, it fails with an exception on ConnectController line 240:
ResourceAccessException:
org.springframework.web.client.ResourceAccessException: I/O error on
POST request for "https://api.twitter.com/oauth/request_token":cannot
retry due to server authentication, in streaming mode; nested
exception is java.net.HttpRetryException: cannot retry due to server
authentication, in streaming mode
I have checked that the credentials are being read by the app. They are valid - I use them to connect with another application I've written with twitter4j, although in that case I use a Token and Token Secret in addition to the Consumer Key and Consumer Secret.
Any ideas?
Thanks
I had exactly the same issue as you : it happened because I did not set my callback URL in the twitter setting.
Just check in your twitter app settings that the callback field is set (I used the same URL as the website field).
I am implementing shibboleth IDP and SP. I have installed in my machine and tested it with testshib.org , both(IDP&SP) are working fine.
I am trying to use my own IDP with my SP.
Once I access the protected resource, SP redirects to the IDP login page correctly, after authentication is successful, it is redirected to the SP with the SAML encrypted response (With the servlet status code 500) Which shows the following error ,
"opensaml::FatalProfileException at (https://myip.address/Shibboleth.sso/SAML2/POST)
A valid authentication statement was not found in the incoming message."
I checked the native log which shows the following message.
"2013-08-29 20:22:36 ERROR Shibboleth.Listener [28868] shib_handler: remoted message returned an error: A valid authentication statement was not found in the incoming message.
2013-08-29 20:22:36 ERROR Shibboleth.Apache [28868] shib_handler: A valid authentication statement was not found in the incoming message."
How can I rectify this problem?
What do the IdP logs show for the corresponding authentication attempt? You may need to elevate the log levels to DEBUG for IdP, OpenSAML and/or LDAP (conf/logging.xml) to get sufficiently descriptive results.