In our company the web app that we are testing uses the active directory roles assigned to the user for accessing the website.
Edit:
Important information that I forgot to mention is that, while accessing the website I am not prompted for the username and password. The website is only displayed if I have the correct Active Directory role assigned to my user profile.
For Example,
Opening IE as myself - able to access the website.
Opening IE as a service account (with required Active Directory roles) - able to access the website.
Opening IE as a different user outside my project - not able to access the website.
I have tried (skeptically, desperate to get it working) Basic/ Kerberos Authorization in the HTTP Authorization Manager and even running JMeter as that service account still no luck. I keep getting the below
Thread Name: Users 1-1
Sample Start: 2017-04-26 17:08:18 CDT
Load time: 83
Connect Time: 13
Latency: 83
Size in bytes: 438
Sent bytes:136
Headers size in bytes: 243
Body size in bytes: 195
Sample Count: 1
Error Count: 1
Data type ("text"|"bin"|""): text
Response code: 401
Response message: Unauthorized
Response headers:
HTTP/1.1 401 Unauthorized
Server: nginx/1.10.1
Date: Wed, 26 Apr 2017 22:08:18 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Negotiate
X-Frame-Options: deny
X-Content-Type-Options: nosniff
HTTPSampleResult fields:
ContentType: text/html
DataEncoding: null
I am just trying to find out if any one here has got the JMeter working in a similar scenario/ if any one can point me in the right direction to overcome this hurdle.
Thanks all for your help in advance.
You need to identify the exact implementation of the authentication in your application.
Given you receive WWW-Authenticate: Negotiate - this is definitely not Basic HTTP Auth.
Negotiate may stand either for NTLM or for Kerberos (or in some cases for both, i.e. if Kerberos is not successful it will fall back to NTLM) and JMeter needs to be configured differently for these schemes.
For example for NTLM you need to provide only credentials and domain in the HTTP Authorization Manager and for Kerberos you need to populate Realm and set your Kerberos settings (KDC and login config) under jaas.conf and krb5.conf files
See Windows Authentication with Apache JMeter article for more information and example configurations.
Related
I'm relatively new to JMeter, but I am having a hard time getting an HTTP Sampler to land on a secured webpage. I think it requires NTLM authentication, so I used the HTTP Authorization Manager to pass credentials as specified in the BlazeMeter guide
My Authorization Manager has the following values:
Base URL: https:// [test site]
Username: [my user name]
Password: [my password]
Domain: Same as base URL
Mechanism: BASIC_DIGEST
However, I just get a 401 error (see Sampler Message below)
Thread Name: Thread Group 1-1
Sample Start: 2018-02-21 15:55:18 PST
Load time: 26
Connect Time: 0
Latency: 26
Size in bytes: 1602
Sent bytes:229
Headers size in bytes: 309
Body size in bytes: 1293
Sample Count: 1
Error Count: 1
Data type ("text"|"bin"|""): text
Response code: 401
Response message: 401
Response headers:
HTTP/1.1 401 401
Content-Type: text/html
Content-Language: en
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="BasicSecurityFilterProvider"
X-Powered-By: ASP.NET
Date: Wed, 21 Feb 2018 23:55:18 GMT
Connection: close
Content-Length: 1293
HTTPSampleResult fields:
ContentType: text/html
DataEncoding: iso-8859-1
I tried the following, but still get a 401 error. Any suggestions?
Changing all HTTP Request implementations to HTTPClient4
Setting httpclient4.auth.preemptive=true in the user.properties
Enable Use KeepAlive option
As per Windows Authentication with Apache JMeter guide you should replace Domain to not to be your base URL but rather Windows Domain name. As per the referenced guide:
Domain: should be “what you see in Windows Security pop-up” as this is what real browsers do. If you are uncertain you can type a fully qualified domain name into that field.
You can also figure out your domain name by running systeminfo command like:
systeminfo | find "Domain"
Dears
I have invested quite some time in trying to post tweets to my own twitter user account from my web site without using any ready-made solutions.
The web site is given read/write access on app.twitter.com and i have regenerated all keys.
I am following the Twitter API instructions referring to endpoint "POST /1.1/statuses/update.json"
I have double checked all my objects and am still getting
response =--- !ruby/object:Net::HTTPUnauthorized
http_version: '1.1'
code: '401'
message: Authorization Required
header:
connection:
- close
content-length:
- '89'
content-type:
- application/json; charset=utf-8
date:
- Wed, 18 Oct 2017 15:28:19 GMT
server:
- tsa_o
set-cookie:
- personalization_id="v1_pxDMvL5ZrViFDcn8AfFemw=="; Expires=Fri, 18 Oct 2019 15:28:19
UTC; Path=/; Domain=.twitter.com
- guest_id=v1%3A150834049962807489; Expires=Fri, 18 Oct 2019 15:28:19 UTC; Path=/;
Domain=.twitter.com
strict-transport-security:
- max-age=631138519
x-connection-hash:
- '05228a7a2026efc93a8a2d4b1a8c6460'
x-response-time:
- '142'
x-tsa-request-body-time:
- '1'
body: '{"errors":[{"code":32,"message":"Could not authenticate you."}]}'
read: true
uri:
decode_content: true
socket:
body_exist: true
I want to send a simple "Hello" from my web site to my twitter account and have double checked all parts which will be presented below.
Also, same logic is used to authenticate me on my web site using my twitter account. So I know authorization (3-legs) works properly.
for posting tweets with my rails app, I have tried both 1) posting the tweet using my app's consumer and access token pairs without going all the authorization steps as well as 2) guiding myself to twitter for explicitly re-authorizing my web site to post the tweet. Both scenarios lead to Error 401. Everything works, except the actual tweeting step.
Any help is very much appreciated. Please note, I am not interested in using a gem and have read thoroughly the associated API documentation.
Here all the constituents of my post request :
Parameter String:
include_entities=true&
oauth_consumer_key=Xffffffffffffffffffffffff&
oauth_nonce=1vGbvxCqsfGi47L7ecpRnwA33fEojFoy6J2hkRpa8&
oauth_signature_method=HMAC-SHA1&
oauth_timestamp=1508340584&
oauth_token=4444444444-GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG&
oauth_version=1.0&
status=Hello
signature base string:
POST&
https%3A%2F%2Fapi.twitter.com%2F1.1%2Fstatuses%2Fupdate.json&
include_entities%3Dtrue%26
oauth_consumer_key%3DXffffffffffffffffffffffff%26
oauth_nonce%3D1vGbvxCqsfGi47L7ecpRnwA33fEojFoy6J2hkRpa8%26
oauth_signature_method%3DHMAC-SHA1%26
oauth_timestamp%3D1508340584%26
oauth_token%3D4444444444-GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG%26
oauth_version%3D1.0%26
status%3DHello
signing key:
W6SzwsKSXwFpl8tb0UNJFoCTW6crf6p3JaS8GipJMErofZVLAA&ENxK6XHG8h2EI7dOeSL0fABJzqnzs7FhP6QirBbXvd0br
signature:
0zx68mHx/SxhHkoRpaqZmO8iC2s=
header string:
OAuth oauth_consumer_key="Xffffffffffffffffffffffff",
oauth_nonce="1vGbvxCqsfGi47L7ecpRnwA33fEojFoy6J2hkRpa8",
oauth_signature="0zx68mHx%2FSxhHkoRpaqZmO8iC2s%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1508340584",
oauth_token="4444444444-GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG",
oauth_version="1.0"
POST REQUEST
request =--- !ruby/object:Net::HTTP::Post
method: POST
request_has_body: true
response_has_body: true
uri:
path: "/1.1/statuses/update.json?include_entities=true"
decode_content: true
header:
content-type:
- application/x-www-form-urlencoded
authorization:
- OAuth oauth_consumer_key="Xffffffffffffffffffffffff", oauth_nonce="1vGbvxCqsfGi47L7ecpRnwA33fEojFoy6J2hkRpa8",
oauth_signature="0zx68mHx%2FSxhHkoRpaqZmO8iC2s%3D", oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1508340584", oauth_token="4444444444-GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG",
oauth_version="1.0"
host:
- api.twitter.com
accept-encoding:
- gzip;q=1.0,deflate;q=0.6,identity;q=0.3
accept:
- "*/*"
user-agent:
- Ruby
body: '{"status":"Hello"}'
body_stream:
body_data:
I finally got it to work. Several issues existed. Not with the signatures and the authorization headers. Instead issues existed in the time stamp used, which was not synchronized properly and also not in GMT as twitter is expecting. I synchronized my system clock against time.google.com and this part was done. Now, there was also an issue about the header which needed also sorting, contrary to twitter's own docs talking about sorting in the context of the signature base string only. I found out that also the extended header needs sorting. Extended because it contains the tweet itself which is not part of the signature calculation. once this part was built in posting the tweet was successful
I am using Jmeter for performance testing and as i try to replay the request I am getting the following response header
I am using HTTP Authorization Manager with the following info
base url - example.com
username - username
password - kind
domain - example.com:80
Realm -
Mech - Basic_digest
Body size in bytes: 0
Sample Count: 1
Error Count: 1
Response code: 401
Response message: Unauthorized
Response headers:
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="Secured Area"
Server: BigIP
Connection: Keep-Alive
Content-Length: 0
anythoughts on what I should try different
Thanks
Assumption 1: you're providing realm Mech and server expects it to be Secured Area.
As per RFC 1945
The realm attribute (case-insensitive) is required for all
authentication schemes which issue a challenge. The realm value
(case-sensitive), in combination with the canonical root URL of the
server being accessed, defines the protection space. These realms
allow the protected resources on a server to be partitioned into a
set of protection spaces, each with its own authentication scheme
and/or authorization database. The realm value is a string, generally
assigned by the origin server, which may have additional semantics
specific to the authentication scheme.
So try changing "Realm" in to "Secured Area" in HTTP Authorization Manager to see how it goes.
Assumption 2: authentication is not "Basic". See Windows Authentication with Apache JMeter guide for details on how to bypass NTLM and Kerberos authentication challenges.
3/13 - I did resolve this by adding a authorization header and removing the authorization manager all together.
I am an Oracle Developer, we have a requirement to read the contents of a filenet documents via oracle database , but OpenSSO is enabled in our environments which is currently blocking us to read the data from filenet server.
While checking with OpenSSO guys , they confirmed that while invoking the filenet URL via browser , a session cookie gets generated in OpenSSO which plays a significant role in authentication.
But , when we tried to invoke the same filenet URL via Oracle pl/sql ( i.e database) , we could see the cookie details as below. However, we don't understand , why opensso was still not showing 'successful authentication'.
We googled the error code X-AuthErrorCode: -1 which says "In the response you're going to receive "X-autherrorcode" header, if it's value 0, then the login was successful. Also, you need to check the
iPlanetDirectoryPro cookie for admin session id".
With all these information, can someone please help us in getting the root cause of the authentication failure in OpenSSO?
HTTP response status code: 200
HTTP response reason phrase: OK
X-Powered-By: JSP/2.1
Server: Sun GlassFish Enterprise Server v2.1
Cache-Control: private
Pragma: no-cache
Expires: 0
X-DSAMEVersion: (2011-March-02 18:42)
AM_CLIENT_TYPE: genericHTML
Set-Cookie:
AMAuthCookie=AQIC5wM2LY4SfcyXSVnslvF7a5TLMa4KXz5Op9tRKzczinU.*AAJTSQACMDE.
*; Domain=.companyname.co.uk; Path=/
Set-Cookie: amlbcookie=01; Domain=.companyname.co.uk; Path=/
X-AuthErrorCode: -1
Set-Cookie: AMAuthCookie=LOGOUT; Domain=.companyname.co.uk;
Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: JSESSIONID=286b0c94d89dffd4f602831969ae; Path=/opensso;
Secure
Content-Type: text/html;charset=UTF-8
Date: Fri, 24 Oct 2014 14:19:23 GMT
Connection: close
While downloading a Text file from filenet, we got the content as below
HTTP Status 401 -
type Status report
message
descriptionThis request requires HTTP authentication ().
Sun GlassFish Enterprise Server v2.1.1
Can someone please help me at the earliest to get a solution for this ? Is this really possible to make the authentication success via oracle database packages rather than invoking the URL via browser ? if it is possible what should be next step I need to do ?
Any help would be much appreciated.
Thanks and Regards,
Remya Sudhakaran
What we have?
Client : win8, ie11, logged in into system using domain credentials.
Server : 3 tomcat7 nodes run beyond apache 2.2.22. application uses waffle library to authenticate windows users who are logged in into domain in sso manner.
Application uses spring security and the main thing regarding this topic is that filter that handles login via form comes before filter that handles authentication headers.
NegotiateSecurityFilterProvider supports only Negotiate protocol, not NTLM
What we do?
Go into application via direct link : https://app.domain.com/app_name/subordinates.do.
It is ok, we are bearing valid kerberos header (it is good and big one kerberos token which fiddler describes as 'Authorization Header (Negotiate) appears to contain a kerberos ticket' ^^) and waffle on application side passes us inside with kerberos reply.
Logout.
Login via form on login page: we make post request with user_name and password, again we bearing same kerberos token. Application uses user_name and password to login us with help of waffle WindowsAuthenticationProvider. Here we get authenticate before we rich NegotiateSecurityFilter, so there is no any kerberos header within reply from server. Anyway everything is ok.
Now we are log into MS account via OS. And magic happens.
When trying to login via direct link we get 'The handle specified is invalid' error on login page as SPRING_SECURITY_LAST_EXCEPTION constant. my guess here is that we send some kind of invalid authorization header
And when trying to login via form we get 'The parameter is incorrect'. here i think we send ntlm type 1 POST request with empty body but we still have invalid header so application does not recognize it and does not sent 401 reply and thereafter waffle sends null name to AD and here error comes (just guess)
BUT when I turn fiddler on to see what is really happened then everything begins to work fine as before login into MS account. Ok, to figure out what header are sent to the server I used some code inside cmd file:
UDPATED add code and output
var cookieContainer = new CookieContainer();
var authRequest = (HttpWebRequest) WebRequest.Create("https://app.domain.com/app_name/home.do");
var credentials = CredentialCache.DefaultNetworkCredentials;
authRequest.Credentials = credentials;
authRequest.CookieContainer = cookieContainer;
authRequest.AllowAutoRedirect = false;
var authResponse = (HttpWebResponse)authRequest.GetResponse();
Console.WriteLine("Request headers:");
foreach (string header in authRequest.Headers.AllKeys) {
Console.WriteLine("\t{0}: {1}", header, authRequest.Headers.Get(header));
}
Console.WriteLine("\nResponse: {0} {1}", (int)authResponse.StatusCode, authResponse.StatusDescription);
Console.WriteLine("Response headers:");
foreach (string header in authResponse.Headers)
Console.WriteLine("\t{0}: {1}", header, authResponse.GetResponseHeader(header));
foreach (var cookie in cookieContainer.GetCookies(new Uri("https://app.domain.com/app_name/")))
Console.WriteLine("Received cookie: {0}", cookie);
Console.WriteLine("\nPress ENTER to exit");
Console.ReadLine();
Here what I get:
Request headers:
Authorization: Negotiate oTMwMaADCgEBoioEKE5UTE1TU1AAAQAAAJeCCOIAAAAAAAAAAAAAAAAAAAAABgOAJQAAAA8=
Host: {host}
Cookie: JSESSIONID={sessionId}
Response: 302 Found
Response headers:
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/ plain; charset=UTF-8
Date: Tue, 04 Feb 2014 11:44:15 GMT
Location: https://app.domain.com/app_name/login.do?error_code=1
Server: Apache/2.2.22 (Win32) mod_ssl/2.2.22 OpenSSL/0.9.8t mod_jk/1.2.37
Received cookie: JSESSIONID={sessionId}
It is definitely much smaller header than kerberos one what fiddler sees when authentication works.
So questions are:
1. Why does loging into MS account affect what headers are sent to server?
2. Why it begins to work when fiddler on?
3. What type of this header : Negotiate oTMwMaADCgEBoioEKE5UTE1TU1AAAQAAAJeCCOIAAAAAAAAAAAAAAAAAAAAABgOAJQAAAA8= and how should it be handled by server?
UPDATE 17 March 2014:
wireshark capture shows KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN error after tgs request, server mentioned - machine name with apache.
After investigation with support team we found out that special user which is used to run tomcat servers on different nodes didn't have spn for domain name of machine with apache (it had spn for resource domain name but not for current machine). After spn was added problem disappeared.
After decoding oTMwMaADCgEBoioEKE5UTE1TU1AAAQAAAJeCCOIAAAAAAAAAAAAAAAAAAAAABgOAJQAAAA8= we can see that it contains NTLMSSP (a new version).
Check browsers configuration:
In Internet Explorer: webpage should be in "Local intranet" zone (in a zone in which user is logged automatically) and that IWA, Integrated Windows Authentication is enabled.
If that's not the case, please take a look in Wireshark for dns and kerberos packets.
Check DNS:
IE uses dns to resolve webserver address into principal name. CNAME address is resolved into A address. If not found, IE will not ask for Kerberos service ticket at all (and will fallback to NTLM).
Check SPNs:
When Active Directory can't find requested principal (or there or two, or more). Then IE falls back into NTLM.