I am using Jmeter for performance testing and as i try to replay the request I am getting the following response header
I am using HTTP Authorization Manager with the following info
base url - example.com
username - username
password - kind
domain - example.com:80
Realm -
Mech - Basic_digest
Body size in bytes: 0
Sample Count: 1
Error Count: 1
Response code: 401
Response message: Unauthorized
Response headers:
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="Secured Area"
Server: BigIP
Connection: Keep-Alive
Content-Length: 0
anythoughts on what I should try different
Thanks
Assumption 1: you're providing realm Mech and server expects it to be Secured Area.
As per RFC 1945
The realm attribute (case-insensitive) is required for all
authentication schemes which issue a challenge. The realm value
(case-sensitive), in combination with the canonical root URL of the
server being accessed, defines the protection space. These realms
allow the protected resources on a server to be partitioned into a
set of protection spaces, each with its own authentication scheme
and/or authorization database. The realm value is a string, generally
assigned by the origin server, which may have additional semantics
specific to the authentication scheme.
So try changing "Realm" in to "Secured Area" in HTTP Authorization Manager to see how it goes.
Assumption 2: authentication is not "Basic". See Windows Authentication with Apache JMeter guide for details on how to bypass NTLM and Kerberos authentication challenges.
3/13 - I did resolve this by adding a authorization header and removing the authorization manager all together.
Related
I am working on creating performance test for an application based on Windows authentication.
Test plan is designed as following :
Test Plan
HTTP Cookie Manager
HTTP Authorization Manager
Thread Group
HTTP Request 1
HTTP Request 2
In the HTTP authorization manager section I have provided the base URL, username, password and selected Mechanism as BASIC_DIGEST.
Now assume that HTTP Request 2 is a file upload scenario.
When the steps were recorded then then the file upload scenario had a Content-Type header which has the value - Multipart/form-data; boundary=----WebkitFormBoundaryxxxxxxxxxx.
Now when I execute the script boundary in the above format is not generated which probably results in script failure. I need to understand what changes I might need to implement in order to generate the Content-Type correctly.
I believe that you should rather remove Content-Type header from the HTTP Header Manager and tick "Use multipart-form/data" box in the HTTP Request sampler:
The fact you're getting HTTP Status 401 means that your configuration of HTTP Authorization Manager is not correct. If you're using your Windows domain credentials for accessing the application your "Mechanism" choice might be wrong as Kerberos is way more popular than NTLM so inspect network tab of your browser developer tools and see what are WWW-Authenticate and Authorization header value, this way you can guess what mechanism is being used exactly and properly configure the HTTP Authorization Manager
More information: Windows Authentication with Apache JMeter
Is it possible to use digest auth in jmeter.
When server answers 401 with auth header
(etc: WWW_Authenticate :SP Digest realm="SD Digest Authentication Realm", qop="auth", nonce="MTYyNTE2Mjc5MDE4NDo0ZTQ0NWJjM2Y0MWQ4OGFlMzQyODRmMjEzNWViMTYwNQ==")
on the first request from client and then client must resend original request with properly formed auth headers?
I try to use HTTP Authorization Manager with http client 4, but no luck.
Jmeter does not send any auth header and does not repeat original request.
Try removing this / from "Domain" section, I don't think it's applicable for Digest authentication, it's more for NTLM and/or Kerberos. But given server sends proper WWW-Authenticate header even given wrong HTTP Authorization Manager configuration you should be seeing the Authorization request header
Apart from this I cannot reproduce your issue using simple Apache web server with mod_auth_digest
I am a rookie when it comes to Jmeter and I am struggling to get a HTTP Request to run successfully (even for 1 iteration).
The Site being tested is an Intranet site used by staff. In terms of accessing via any browser, the homepage loads (having authenticated me as a user through my Domain Login/Password - through logging in to my laptop). From what I can gather from tools such as FIDDLER:
GET request to the server sent, Server response is 401 unauthorized (WWW-Authenticate: Negotiate)
GET REQUEST header sent back with Authorization: Negotiate HASH, Server response is 401 Unauthorized with a different WWW-Authenticate: Negotiate HASH
GET REQUEST sent back with same Authorization: Negotiate HASH as received in previous SERVER response. Server responds with HTTP 200.
I am struggling to get the above working in JMETER. I have tried by capturing the output from Blazemeter Chrome plugin and saving as .jmx file but replaying this results in
div id="header">h1>Server Error
h2>401 - Unauthorized: Access is denied due to invalid credentials.
h3>You do not have permission to view this directory or page using the credentials that you supplied.
Any ideas as to how I should go about getting this to work would be greatly appreciated.........
JMeter comes with HTTP Authorization Manager which you can use to bypass NTLM authentication challenge. Just add it to your Test Plan and provide the following values:
Username: your Windows domain user name
Password: your Windows domain password
Domain: your Windows domain
Mechanism: BASIC_DIGEST
The HTTP Authorization Manager should automatically handle auth flow. See Windows Authentication with Apache JMeter article for more details if required.
In our company the web app that we are testing uses the active directory roles assigned to the user for accessing the website.
Edit:
Important information that I forgot to mention is that, while accessing the website I am not prompted for the username and password. The website is only displayed if I have the correct Active Directory role assigned to my user profile.
For Example,
Opening IE as myself - able to access the website.
Opening IE as a service account (with required Active Directory roles) - able to access the website.
Opening IE as a different user outside my project - not able to access the website.
I have tried (skeptically, desperate to get it working) Basic/ Kerberos Authorization in the HTTP Authorization Manager and even running JMeter as that service account still no luck. I keep getting the below
Thread Name: Users 1-1
Sample Start: 2017-04-26 17:08:18 CDT
Load time: 83
Connect Time: 13
Latency: 83
Size in bytes: 438
Sent bytes:136
Headers size in bytes: 243
Body size in bytes: 195
Sample Count: 1
Error Count: 1
Data type ("text"|"bin"|""): text
Response code: 401
Response message: Unauthorized
Response headers:
HTTP/1.1 401 Unauthorized
Server: nginx/1.10.1
Date: Wed, 26 Apr 2017 22:08:18 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Negotiate
X-Frame-Options: deny
X-Content-Type-Options: nosniff
HTTPSampleResult fields:
ContentType: text/html
DataEncoding: null
I am just trying to find out if any one here has got the JMeter working in a similar scenario/ if any one can point me in the right direction to overcome this hurdle.
Thanks all for your help in advance.
You need to identify the exact implementation of the authentication in your application.
Given you receive WWW-Authenticate: Negotiate - this is definitely not Basic HTTP Auth.
Negotiate may stand either for NTLM or for Kerberos (or in some cases for both, i.e. if Kerberos is not successful it will fall back to NTLM) and JMeter needs to be configured differently for these schemes.
For example for NTLM you need to provide only credentials and domain in the HTTP Authorization Manager and for Kerberos you need to populate Realm and set your Kerberos settings (KDC and login config) under jaas.conf and krb5.conf files
See Windows Authentication with Apache JMeter article for more information and example configurations.
What we have?
Client : win8, ie11, logged in into system using domain credentials.
Server : 3 tomcat7 nodes run beyond apache 2.2.22. application uses waffle library to authenticate windows users who are logged in into domain in sso manner.
Application uses spring security and the main thing regarding this topic is that filter that handles login via form comes before filter that handles authentication headers.
NegotiateSecurityFilterProvider supports only Negotiate protocol, not NTLM
What we do?
Go into application via direct link : https://app.domain.com/app_name/subordinates.do.
It is ok, we are bearing valid kerberos header (it is good and big one kerberos token which fiddler describes as 'Authorization Header (Negotiate) appears to contain a kerberos ticket' ^^) and waffle on application side passes us inside with kerberos reply.
Logout.
Login via form on login page: we make post request with user_name and password, again we bearing same kerberos token. Application uses user_name and password to login us with help of waffle WindowsAuthenticationProvider. Here we get authenticate before we rich NegotiateSecurityFilter, so there is no any kerberos header within reply from server. Anyway everything is ok.
Now we are log into MS account via OS. And magic happens.
When trying to login via direct link we get 'The handle specified is invalid' error on login page as SPRING_SECURITY_LAST_EXCEPTION constant. my guess here is that we send some kind of invalid authorization header
And when trying to login via form we get 'The parameter is incorrect'. here i think we send ntlm type 1 POST request with empty body but we still have invalid header so application does not recognize it and does not sent 401 reply and thereafter waffle sends null name to AD and here error comes (just guess)
BUT when I turn fiddler on to see what is really happened then everything begins to work fine as before login into MS account. Ok, to figure out what header are sent to the server I used some code inside cmd file:
UDPATED add code and output
var cookieContainer = new CookieContainer();
var authRequest = (HttpWebRequest) WebRequest.Create("https://app.domain.com/app_name/home.do");
var credentials = CredentialCache.DefaultNetworkCredentials;
authRequest.Credentials = credentials;
authRequest.CookieContainer = cookieContainer;
authRequest.AllowAutoRedirect = false;
var authResponse = (HttpWebResponse)authRequest.GetResponse();
Console.WriteLine("Request headers:");
foreach (string header in authRequest.Headers.AllKeys) {
Console.WriteLine("\t{0}: {1}", header, authRequest.Headers.Get(header));
}
Console.WriteLine("\nResponse: {0} {1}", (int)authResponse.StatusCode, authResponse.StatusDescription);
Console.WriteLine("Response headers:");
foreach (string header in authResponse.Headers)
Console.WriteLine("\t{0}: {1}", header, authResponse.GetResponseHeader(header));
foreach (var cookie in cookieContainer.GetCookies(new Uri("https://app.domain.com/app_name/")))
Console.WriteLine("Received cookie: {0}", cookie);
Console.WriteLine("\nPress ENTER to exit");
Console.ReadLine();
Here what I get:
Request headers:
Authorization: Negotiate oTMwMaADCgEBoioEKE5UTE1TU1AAAQAAAJeCCOIAAAAAAAAAAAAAAAAAAAAABgOAJQAAAA8=
Host: {host}
Cookie: JSESSIONID={sessionId}
Response: 302 Found
Response headers:
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/ plain; charset=UTF-8
Date: Tue, 04 Feb 2014 11:44:15 GMT
Location: https://app.domain.com/app_name/login.do?error_code=1
Server: Apache/2.2.22 (Win32) mod_ssl/2.2.22 OpenSSL/0.9.8t mod_jk/1.2.37
Received cookie: JSESSIONID={sessionId}
It is definitely much smaller header than kerberos one what fiddler sees when authentication works.
So questions are:
1. Why does loging into MS account affect what headers are sent to server?
2. Why it begins to work when fiddler on?
3. What type of this header : Negotiate oTMwMaADCgEBoioEKE5UTE1TU1AAAQAAAJeCCOIAAAAAAAAAAAAAAAAAAAAABgOAJQAAAA8= and how should it be handled by server?
UPDATE 17 March 2014:
wireshark capture shows KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN error after tgs request, server mentioned - machine name with apache.
After investigation with support team we found out that special user which is used to run tomcat servers on different nodes didn't have spn for domain name of machine with apache (it had spn for resource domain name but not for current machine). After spn was added problem disappeared.
After decoding oTMwMaADCgEBoioEKE5UTE1TU1AAAQAAAJeCCOIAAAAAAAAAAAAAAAAAAAAABgOAJQAAAA8= we can see that it contains NTLMSSP (a new version).
Check browsers configuration:
In Internet Explorer: webpage should be in "Local intranet" zone (in a zone in which user is logged automatically) and that IWA, Integrated Windows Authentication is enabled.
If that's not the case, please take a look in Wireshark for dns and kerberos packets.
Check DNS:
IE uses dns to resolve webserver address into principal name. CNAME address is resolved into A address. If not found, IE will not ask for Kerberos service ticket at all (and will fallback to NTLM).
Check SPNs:
When Active Directory can't find requested principal (or there or two, or more). Then IE falls back into NTLM.