jmeter-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: Jmeter user authentication over Kerberos not succeeding
Date Fri, 16 Jan 2015 17:37:09 GMT
Am 16.01.2015 um 13:46 schrieb Philippe Mouawad:
> Hi Felix,
> Maybe docs could be amended to help on this ?
Maybe Martijn could enlighten us, where the docs were missing.

For a start I did some minor formatting in the components docs.

Regards
  Felix

> Regards
>
> On Fri, Jan 16, 2015 at 1:25 PM, Felix Schumacher <
> felix.schumacher@internetallee.de> wrote:
>
>>
>> Am 16. Januar 2015 13:21:32 MEZ, schrieb Martijn de Vrieze <
>> martijndevrieze@qa-rocks.com>:
>>> Hey Felix,
>>>
>>> you are indeed right! Got it working now. Needed to flip the URL in
>>> krb5 to the Domain Controller and switch off the default_tkt_enctypes
>>> and default_tgs_enctypes
>> Glad, that I could help you.
>>
>>> How do I stop anwsering in top-post style? Sorry, no idea what I
>>> should do differently, I just hit reply in gmail.
>> Can't help you there, but a google search might help.
>>
>> Regards
>> Felix
>>>
>>>
>>> On Fri, Jan 16, 2015 at 12:59 PM, Felix Schumacher
>>> <felix.schumacher@internetallee.de> wrote:
>>>> Am 16.01.2015 10:49, schrieb Martijn de Vrieze:
>>>>> Hey Felix,
>>>>>
>>>>> thanks for the help so far :)
>>>>> BTW, does it make a difference that I am working from a 64b Linux
>>> box?
>>>>> Although when within the domain, on a windows (citrix) box I get the
>>> same
>>>>> errors.
>>>> I do my testing from linux, so I am sure, that linux works.
>>>>
>>>>> I started off initially trying it over 88, which gives the exact
>>> same
>>>>> time-out.
>>>> Then maybe not only the port is wrong, but the dns name also? The kdc
>>> is not the website server you are trying to connect to, but the key
>>> distribution center, that is the kerberos server.
>>>>> When I asked the implementation partner they claimed it should just
>>> run
>>>>> over 443, but than again, what do they know :)
>>>> If they tell you it is 443, they probably mean the webserver, which
>>> is most likely not the kdc.
>>>>> One thing I have noticed so far, is that the request headers contain
>>>>> nothing towards auth types:
>>>> That is OK, since you have no TGT or service ticket and if it is the
>>> first request no knowlegde, that the server is willing to speak SPNEGO.
>>>>
>>>>>
>>>>> Request Headers:
>>>>> Connection: keep-alive
>>>>> User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1;
>>> WOW64;
>>>>> Trident/6.0)
>>>>> Accept:
>>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>>>> Accept-Language: en-US,en;q=0.5
>>>>> Accept-Encoding: gzip, deflate
>>>>> Pragma: no-cache
>>>>> Cache-Control: no-cache
>>>>> Host: tst-crm20.veh.nl
>>>>>
>>>>> Whereas the response header does tell me the www-auth => negotiate
>>>>>
>>>>> Thread Name: Jmeter 1-1
>>>>> Sample Start: 2015-01-16 10:36:01 CET
>>>>> Load time: 90209
>>>>> Latency: 90208
>>>>> Size in bytes: 485
>>>>> Headers size in bytes: 425
>>>>> Body size in bytes: 60
>>>>> Sample Count: 1
>>>>> Error Count: 1
>>>>> Response code: 401
>>>>> Response message: Unauthorized
>>>>>
>>>>> Response headers:
>>>>> HTTP/1.1 401 Unauthorized
>>>>> Cache-Control: private
>>>>> Transfer-Encoding: chunked
>>>>> Content-Type: text/plain
>>>>> Server: Microsoft-IIS/8.5
>>>>> X-AspNet-Version: 4.0.30319
>>>>> REQ_ID: e73cba80-97e4-4444-a201-a50ab6957a31
>>>>> Set-Cookie: ReqClientId=51c362af-23e0-4dad-a299-10e6bf67c310;
>>> expires=Fri,
>>>>> 16-Jan-2065 09:37:31 GMT; path=/; secure; HttpOnly
>>>>> WWW-Authenticate: Negotiate
>>>> This is good, as it means that the server is willing to speak SPNEGO
>>> with you.
>>>>> X-Powered-By: ASP.NET
>>>>> Date: Fri, 16 Jan 2015 09:37:31 GMT
>>>>>
>>>>>
>>>>> HTTPSampleResult fields:
>>>>> ContentType: text/plain
>>>>> DataEncoding: null
>>>>>
>>>>>
>>>>>
>>>>> Also, Tried connecting straight through Java and that worked like a
>>> charm.
>>>>> Code is somewhat like this:
>>>>>
>>>>> public class NTLM_ping {
>>>>>      public NTLM_ping(){
>>>>>          super();
>>>>>      }
>>>>>
>>>>>      public static void main(String[]args) throws Exception {
>>>>>
>>>>>          DefaultHttpClient httpClient = new DefaultHttpClient();
>>>>>          httpClient.getAuthSchemes().register("ntlm",new
>>>>> NTLMSchemeFactory());
>>>> That is great, but you are not using kerberos here.
>>>>
>>>> This is NTLM, which you could use with jmeter, too. I believe you
>>> have to fill in the domain and
>>>> realm columns and use BASIC_DIGEST instead of Kerberos.
>>>>
>>>> But keep in mind, that kerberos is cooler and probably more secure.
>>>>
>>>>>          // add credentials
>>>>>
>>>>>          httpClient.getCredentialsProvider().setCredentials(
>>>>>                  new AuthScope("TEST", -1),
>>>>>                  new
>>> NTCredentials("m.devrieze","PassWord","tst-crm20.test.nl
>>>>> ","TEST"));
>>>>>
>>>>>          HttpGet httpGet = new HttpGet("http://tst-crm20.test.nl");
>>>>>
>>>>>          // ignore cookies
>>>>>
>>> /*httpGet.getParams().setParameter("http.protocol.cookie-policy",
>>>>>                  CookiePolicy.ACCEPT_ALL);
>>>>>          */
>>>>>          try{
>>>>>              // execute the GET
>>>>>              HttpResponse status = httpClient.execute(httpGet);
>>>>>              System.out.println(status.getProtocolVersion());
>>>>>
>>> System.out.println(status.getStatusLine().getStatusCode());
>>> System.out.println(status.getStatusLine().getReasonPhrase());
>>>>>              System.out.println(status.getStatusLine().toString());
>>>>>          }finally {
>>>>>              // release any sources
>>>>>          }
>>>>>
>>>> And by the way, could you stop answering in top-post style?
>>>>
>>>> Regards
>>>>   Felix
>>>>
>>>>
>>>>>
>>>>>
>>>>> On Fri, Jan 16, 2015 at 10:21 AM, Felix Schumacher <
>>>>> felix.schumacher@internetallee.de> wrote:
>>>>>
>>>>>> Am 16.01.2015 09:58, schrieb Martijn de Vrieze:
>>>>>>
>>>>>>> krb5.conf
>>>>>>>
>>>>>>> [libdefaults]
>>>>>>> default_realm = TEST.NL
>>>>>>> default_tkt_enctypes =
>>> aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>> default_tgs_enctypes =
>>> aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>> forwardable=true
>>>>>>>
>>>>>>> [realms]
>>>>>>> TEST.NL = {
>>>>>>>          kdc = tst-crm20.test.nl:443
>>>>>>>
>>>>>> This is a strange port for a kdc. I would expect it to listen on
>>> 88.
>>>>>>   }
>>>>>>>
>>>>>>> [domain_realm]
>>>>>>> test.nl= TEST.NL
>>>>>>> .test.nl= TEST.NL
>>>>>>>
>>>>>>> [appdefaults]
>>>>>>>   pam = {
>>>>>>>     debug = false
>>>>>>>     ticket_lifetime = 36000
>>>>>>>     renew_lifetime = 36000
>>>>>>>     forwardable = true
>>>>>>>     krb4_convert = false
>>>>>>>   }
>>>>>>>
>>>>>>> jaas.conf
>>>>>>>
>>>>>>>
>>>>>>> JMeter {
>>>>>>>      com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>      doNotPrompt=false
>>>>>>>      useKeyTab=false
>>>>>>>      storeKey=false;
>>>>>>> };
>>>>>>>
>>>>>>> On rerunning I recieved the following error (which I have not
seen
>>> before:
>>>>>>> 2015/01/16 09:57:52 WARN  -
>>>>>>> org.apache.http.client.protocol.RequestTargetAuthentication:
>>> NEGOTIATE
>>>>>>> authentication error: No valid credentials provided (Mechanism
>>> level: No
>>>>>>> valid credentials provided (Mechanism level: Failed to find any
>>> Kerberos
>>>>>>> tgt))
>>>>>>>
>>>>>> That is probably because you don't connect to the right port and
>>> noone
>>>>>> responds to you. Try another kdc port.
>>>>>>
>>>>>> Regards
>>>>>>   Felix
>>>>>>
>>>>>>> *Martijn de Vrieze*
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Phone: +31618707784 | Skype: martijndevrieze | gtalk:
>>>>>>> martijndevrieze@qa-rocks.com | Twitter:
>>>>>>> http://www.twitter.com/martijndevrieze | Linkedin:
>>>>>>> http://www.linkedin.com/in/martijndevrieze | Home:
>>>>>>> http://www.martijndevrieze.nl
>>>>>>>
>>>>>>> On Fri, Jan 16, 2015 at 9:01 AM, Felix Schumacher <
>>>>>>> felix.schumacher@internetallee.de> wrote:
>>>>>>>
>>>>>>>   Am 15.01.2015 22:48, schrieb Martijn de Vrieze:
>>>>>>>>
>>>>>>>>   I have been struggling somewhat with JMeter and kerberos
lately.
>>> Google
>>>>>>>> so
>>>>>>>>
>>>>>>>>> far has not been able to help me out with the issue I
am facing.
>>>>>>>>>
>>>>>>>>> The system under test is a Microsoft CRM 2013 platform,
up until
>>> a few
>>>>>>>>> days
>>>>>>>>> ago my tests worked fine since basic auth was switched
on.
>>> However on
>>>>>>>>> the
>>>>>>>>> most recent drop with changes they also switched over
to
>>> kerberos auth
>>>>>>>>> only.
>>>>>>>>>
>>>>>>>>> I have:
>>>>>>>>>   * filled in the KRB5.CONF with all relevant information
>>>>>>>>>   * HTTP AUTH Manager in the script with base URL, username,
>>> password,
>>>>>>>>> domain and KERBEROS filled in
>>>>>>>>> * HTTP Request defaults to ensure and enforce HTTP4 use,
HTTPS
>>> over port
>>>>>>>>> 443 and the same base URL all over the place
>>>>>>>>>
>>>>>>>>> However I cannot get it to work properly, logging in
simply
>>> refuses to
>>>>>>>>> work
>>>>>>>>> for me. I'd really appreciate some help here, I use Jmeter
>>> fairly often,
>>>>>>>>> with this I am however completely stuck.
>>>>>>>>>
>>>>>>>>> When running the first step, which instantly receives
the
>>> KERBEROS ath
>>>>>>>>> request I get the following in my logs:
>>>>>>>>>
>>>>>>>>> 2015/01/15 17:13:02 INFO  - jmeter.threads.JMeterThread:
Thread
>>> started:
>>>>>>>>> Jmeter 1-1
>>>>>>>>> 2015/01/15 17:13:02 INFO  - jmeter.services.FileServer:
Stored:
>>>>>>>>> users.csv
>>>>>>>>> 2015/01/15 17:13:02 DEBUG -
>>> jmeter.protocol.http.control.CacheManager:
>>>>>>>>> GET(OAH) http://tst-crm20.test.nl/TEST/main.aspx null
>>>>>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.
>>>>>>>>> HC4CookieHandler:
>>>>>>>>> Found 0 cookies for http://tst-crm20.test.nl/TEST/main.aspx
>>>>>>>>> 2015/01/15 17:13:02 DEBUG -
>>> jmeter.protocol.http.control.CacheManager:
>>>>>>>>> inCache http://tst-crm20.test.nl/TEST/main.aspx null
>>>>>>>>> 2015/01/15 17:13:02 DEBUG -
>>> jmeter.protocol.http.control.AuthManager:
>>>>>>>>> Target URL strings to match against:
>>> http://tst-crm20.test.nl/TEST/
>>>>>>>>> main.aspx
>>>>>>>>>   and http://tst-crm20.test.nl:80/TEST/main.aspx
>>>>>>>>> <http://tst-crm20.test.nl/TEST/main.aspx>
>>>>>>>>> 2015/01/15 17:13:02 DEBUG -
>>> jmeter.protocol.http.control.AuthManager:
>>>>>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl
>>>>>>>>> 2015/01/15 17:13:02 DEBUG -
>>> jmeter.protocol.http.control.AuthManager:
>>>>>>>>> Matched
>>>>>>>>> 2015/01/15 17:13:02 DEBUG -
>>> jmeter.protocol.http.control.AuthManager:
>>>>>>>>> Target URL strings to match against:
>>> http://tst-crm20.test.nl/TEST/
>>>>>>>>> main.aspx
>>>>>>>>>   and http://tst-crm20.test.nl:80/TEST/main.aspx
>>>>>>>>> <http://tst-crm20.test.nl/TEST/main.aspx>
>>>>>>>>> 2015/01/15 17:13:02 DEBUG -
>>> jmeter.protocol.http.control.AuthManager:
>>>>>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl
>>>>>>>>> 2015/01/15 17:13:02 DEBUG -
>>> jmeter.protocol.http.control.AuthManager:
>>>>>>>>> Matched
>>>>>>>>> 2015/01/15 17:13:02 DEBUG -
>>> jmeter.protocol.http.control.AuthManager:
>>>>>>>>> m.devrieze > D=TEST R= M=KERBEROS
>>>>>>>>> 2015/01/15 17:13:02 DEBUG -
>>> jmeter.protocol.http.control.CacheManager:
>>>>>>>>> GET(OAH) http://tst-crm20.test.nl/TEST/main.aspx null
>>>>>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.
>>>>>>>>> HC4CookieHandler:
>>>>>>>>> Found 0 cookies for http://tst-crm20.test.nl/TEST/main.aspx
>>>>>>>>> 2015/01/15 17:13:02 DEBUG -
>>> jmeter.protocol.http.control.CacheManager:
>>>>>>>>> inCache http://tst-crm20.test.nl/TEST/main.aspx null
>>>>>>>>> 2015/01/15 17:13:02 DEBUG -
>>> jmeter.protocol.http.control.AuthManager:
>>>>>>>>> Target URL strings to match against:
>>> http://tst-crm20.test.nl/TEST/
>>>>>>>>> main.aspx
>>>>>>>>>   and http://tst-crm20.test.nl:80/TEST/main.aspx
>>>>>>>>> <http://tst-crm20.test.nl/TEST/main.aspx>
>>>>>>>>> 2015/01/15 17:13:02 DEBUG -
>>> jmeter.protocol.http.control.AuthManager:
>>>>>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl
>>>>>>>>> 2015/01/15 17:13:02 DEBUG -
>>> jmeter.protocol.http.control.AuthManager:
>>>>>>>>> Matched
>>>>>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.
>>>>>>>>> KerberosManager:
>>>>>>>>> Subject cached:[] before:m.devrieze
>>>>>>>>> 2015/01/15 17:14:32 WARN  - jmeter.protocol.http.control.
>>>>>>>>> KerberosManager:
>>>>>>>>> Could not log in user m.devrieze javax.security.auth.login.
>>>>>>>>> LoginException:
>>>>>>>>> Receive timed out
>>>>>>>>>
>>>>>>>>>   It seems, that the kerberos server did not answer the
request
>>> for a
>>>>>>>> service ticket (at least not within the default timeout of
30s).
>>>>>>>> Could you rerun the test with the java system property
>>>>>>>> "sun.security.krb5.debug" set to true?
>>>>>>>>
>>>>>>>> Could you post the contents of your krb5.conf and jaas.conf
file?
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>   Felix
>>>>>>>>
>>>>>>>>
>>>>>>>>> *Thanks! *
>>>>>>>>>
>>>>>>>>> *Martijn de Vrieze*
>>>>>>>>>
>>>>>>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@jmeter.apache.org
>>> For additional commands, e-mail: user-help@jmeter.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@jmeter.apache.org
>> For additional commands, e-mail: user-help@jmeter.apache.org
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@jmeter.apache.org
For additional commands, e-mail: user-help@jmeter.apache.org


Mime
View raw message