jmeter-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: Jmeter user authentication over Kerberos not succeeding
Date Fri, 16 Jan 2015 12:25:39 GMT


Am 16. Januar 2015 13:21:32 MEZ, schrieb Martijn de Vrieze <martijndevrieze@qa-rocks.com>:
>Hey Felix,
>
>you are indeed right! Got it working now. Needed to flip the URL in
>krb5 to the Domain Controller and switch off the default_tkt_enctypes
>and default_tgs_enctypes
Glad, that I could help you. 

>
>How do I stop anwsering in top-post style? Sorry, no idea what I
>should do differently, I just hit reply in gmail.
Can't help you there, but a google search might help. 

Regards
Felix 
>
>
>
>On Fri, Jan 16, 2015 at 12:59 PM, Felix Schumacher
><felix.schumacher@internetallee.de> wrote:
>>
>> Am 16.01.2015 10:49, schrieb Martijn de Vrieze:
>>>
>>> Hey Felix,
>>>
>>> thanks for the help so far :)
>>> BTW, does it make a difference that I am working from a 64b Linux
>box?
>>> Although when within the domain, on a windows (citrix) box I get the
>same
>>> errors.
>>
>> I do my testing from linux, so I am sure, that linux works.
>>
>>>
>>> I started off initially trying it over 88, which gives the exact
>same
>>> time-out.
>>
>> Then maybe not only the port is wrong, but the dns name also? The kdc
>is not the website server you are trying to connect to, but the key
>distribution center, that is the kerberos server.
>>
>>>
>>> When I asked the implementation partner they claimed it should just
>run
>>> over 443, but than again, what do they know :)
>>
>> If they tell you it is 443, they probably mean the webserver, which
>is most likely not the kdc.
>>
>>>
>>> One thing I have noticed so far, is that the request headers contain
>>> nothing towards auth types:
>>
>> That is OK, since you have no TGT or service ticket and if it is the
>first request no knowlegde, that the server is willing to speak SPNEGO.
>>
>>
>>>
>>>
>>> Request Headers:
>>> Connection: keep-alive
>>> User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1;
>WOW64;
>>> Trident/6.0)
>>> Accept:
>text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> Accept-Language: en-US,en;q=0.5
>>> Accept-Encoding: gzip, deflate
>>> Pragma: no-cache
>>> Cache-Control: no-cache
>>> Host: tst-crm20.veh.nl
>>>
>>> Whereas the response header does tell me the www-auth => negotiate
>>>
>>> Thread Name: Jmeter 1-1
>>> Sample Start: 2015-01-16 10:36:01 CET
>>> Load time: 90209
>>> Latency: 90208
>>> Size in bytes: 485
>>> Headers size in bytes: 425
>>> Body size in bytes: 60
>>> Sample Count: 1
>>> Error Count: 1
>>> Response code: 401
>>> Response message: Unauthorized
>>>
>>> Response headers:
>>> HTTP/1.1 401 Unauthorized
>>> Cache-Control: private
>>> Transfer-Encoding: chunked
>>> Content-Type: text/plain
>>> Server: Microsoft-IIS/8.5
>>> X-AspNet-Version: 4.0.30319
>>> REQ_ID: e73cba80-97e4-4444-a201-a50ab6957a31
>>> Set-Cookie: ReqClientId=51c362af-23e0-4dad-a299-10e6bf67c310;
>expires=Fri,
>>> 16-Jan-2065 09:37:31 GMT; path=/; secure; HttpOnly
>>> WWW-Authenticate: Negotiate
>>
>> This is good, as it means that the server is willing to speak SPNEGO
>with you.
>>
>>> X-Powered-By: ASP.NET
>>> Date: Fri, 16 Jan 2015 09:37:31 GMT
>>>
>>>
>>> HTTPSampleResult fields:
>>> ContentType: text/plain
>>> DataEncoding: null
>>>
>>>
>>>
>>> Also, Tried connecting straight through Java and that worked like a
>charm.
>>>
>>> Code is somewhat like this:
>>>
>>> public class NTLM_ping {
>>>     public NTLM_ping(){
>>>         super();
>>>     }
>>>
>>>     public static void main(String[]args) throws Exception {
>>>
>>>         DefaultHttpClient httpClient = new DefaultHttpClient();
>>>         httpClient.getAuthSchemes().register("ntlm",new
>>> NTLMSchemeFactory());
>>
>> That is great, but you are not using kerberos here.
>>
>> This is NTLM, which you could use with jmeter, too. I believe you
>have to fill in the domain and
>> realm columns and use BASIC_DIGEST instead of Kerberos.
>>
>> But keep in mind, that kerberos is cooler and probably more secure.
>>
>>>
>>>         // add credentials
>>>
>>>         httpClient.getCredentialsProvider().setCredentials(
>>>                 new AuthScope("TEST", -1),
>>>                 new
>NTCredentials("m.devrieze","PassWord","tst-crm20.test.nl
>>> ","TEST"));
>>>
>>>         HttpGet httpGet = new HttpGet("http://tst-crm20.test.nl");
>>>
>>>         // ignore cookies
>>>        
>/*httpGet.getParams().setParameter("http.protocol.cookie-policy",
>>>                 CookiePolicy.ACCEPT_ALL);
>>>         */
>>>         try{
>>>             // execute the GET
>>>             HttpResponse status = httpClient.execute(httpGet);
>>>             System.out.println(status.getProtocolVersion());
>>>            
>System.out.println(status.getStatusLine().getStatusCode());
>>>            
>System.out.println(status.getStatusLine().getReasonPhrase());
>>>             System.out.println(status.getStatusLine().toString());
>>>         }finally {
>>>             // release any sources
>>>         }
>>>
>> And by the way, could you stop answering in top-post style?
>>
>> Regards
>>  Felix
>>
>>
>>>
>>>
>>>
>>> On Fri, Jan 16, 2015 at 10:21 AM, Felix Schumacher <
>>> felix.schumacher@internetallee.de> wrote:
>>>
>>>> Am 16.01.2015 09:58, schrieb Martijn de Vrieze:
>>>>
>>>>> krb5.conf
>>>>>
>>>>> [libdefaults]
>>>>> default_realm = TEST.NL
>>>>> default_tkt_enctypes =
>aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>> default_tgs_enctypes =
>aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>> forwardable=true
>>>>>
>>>>> [realms]
>>>>> TEST.NL = {
>>>>>         kdc = tst-crm20.test.nl:443
>>>>>
>>>> This is a strange port for a kdc. I would expect it to listen on
>88.
>>>>
>>>>  }
>>>>>
>>>>>
>>>>> [domain_realm]
>>>>> test.nl= TEST.NL
>>>>> .test.nl= TEST.NL
>>>>>
>>>>> [appdefaults]
>>>>>  pam = {
>>>>>    debug = false
>>>>>    ticket_lifetime = 36000
>>>>>    renew_lifetime = 36000
>>>>>    forwardable = true
>>>>>    krb4_convert = false
>>>>>  }
>>>>>
>>>>> jaas.conf
>>>>>
>>>>>
>>>>> JMeter {
>>>>>     com.sun.security.auth.module.Krb5LoginModule required
>>>>>     doNotPrompt=false
>>>>>     useKeyTab=false
>>>>>     storeKey=false;
>>>>> };
>>>>>
>>>>> On rerunning I recieved the following error (which I have not seen
>before:
>>>>> 2015/01/16 09:57:52 WARN  -
>>>>> org.apache.http.client.protocol.RequestTargetAuthentication:
>NEGOTIATE
>>>>> authentication error: No valid credentials provided (Mechanism
>level: No
>>>>> valid credentials provided (Mechanism level: Failed to find any
>Kerberos
>>>>> tgt))
>>>>>
>>>> That is probably because you don't connect to the right port and
>noone
>>>> responds to you. Try another kdc port.
>>>>
>>>> Regards
>>>>  Felix
>>>>
>>>>>
>>>>> *Martijn de Vrieze*
>>>>>
>>>>>
>>>>>
>>>>> Phone: +31618707784 | Skype: martijndevrieze | gtalk:
>>>>> martijndevrieze@qa-rocks.com | Twitter:
>>>>> http://www.twitter.com/martijndevrieze | Linkedin:
>>>>> http://www.linkedin.com/in/martijndevrieze | Home:
>>>>> http://www.martijndevrieze.nl
>>>>>
>>>>> On Fri, Jan 16, 2015 at 9:01 AM, Felix Schumacher <
>>>>> felix.schumacher@internetallee.de> wrote:
>>>>>
>>>>>  Am 15.01.2015 22:48, schrieb Martijn de Vrieze:
>>>>>>
>>>>>>
>>>>>>  I have been struggling somewhat with JMeter and kerberos lately.
>Google
>>>>>> so
>>>>>>
>>>>>>> far has not been able to help me out with the issue I am facing.
>>>>>>>
>>>>>>> The system under test is a Microsoft CRM 2013 platform, up until
>a few
>>>>>>> days
>>>>>>> ago my tests worked fine since basic auth was switched on.
>However on
>>>>>>> the
>>>>>>> most recent drop with changes they also switched over to
>kerberos auth
>>>>>>> only.
>>>>>>>
>>>>>>> I have:
>>>>>>>  * filled in the KRB5.CONF with all relevant information
>>>>>>>  * HTTP AUTH Manager in the script with base URL, username,
>password,
>>>>>>> domain and KERBEROS filled in
>>>>>>> * HTTP Request defaults to ensure and enforce HTTP4 use, HTTPS
>over port
>>>>>>> 443 and the same base URL all over the place
>>>>>>>
>>>>>>> However I cannot get it to work properly, logging in simply
>refuses to
>>>>>>> work
>>>>>>> for me. I'd really appreciate some help here, I use Jmeter
>fairly often,
>>>>>>> with this I am however completely stuck.
>>>>>>>
>>>>>>> When running the first step, which instantly receives the
>KERBEROS ath
>>>>>>> request I get the following in my logs:
>>>>>>>
>>>>>>> 2015/01/15 17:13:02 INFO  - jmeter.threads.JMeterThread: Thread
>started:
>>>>>>> Jmeter 1-1
>>>>>>> 2015/01/15 17:13:02 INFO  - jmeter.services.FileServer: Stored:
>>>>>>> users.csv
>>>>>>> 2015/01/15 17:13:02 DEBUG -
>jmeter.protocol.http.control.CacheManager:
>>>>>>> GET(OAH) http://tst-crm20.test.nl/TEST/main.aspx null
>>>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.
>>>>>>> HC4CookieHandler:
>>>>>>> Found 0 cookies for http://tst-crm20.test.nl/TEST/main.aspx
>>>>>>> 2015/01/15 17:13:02 DEBUG -
>jmeter.protocol.http.control.CacheManager:
>>>>>>> inCache http://tst-crm20.test.nl/TEST/main.aspx null
>>>>>>> 2015/01/15 17:13:02 DEBUG -
>jmeter.protocol.http.control.AuthManager:
>>>>>>> Target URL strings to match against:
>http://tst-crm20.test.nl/TEST/
>>>>>>> main.aspx
>>>>>>>  and http://tst-crm20.test.nl:80/TEST/main.aspx
>>>>>>> <http://tst-crm20.test.nl/TEST/main.aspx>
>>>>>>> 2015/01/15 17:13:02 DEBUG -
>jmeter.protocol.http.control.AuthManager:
>>>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl
>>>>>>> 2015/01/15 17:13:02 DEBUG -
>jmeter.protocol.http.control.AuthManager:
>>>>>>> Matched
>>>>>>> 2015/01/15 17:13:02 DEBUG -
>jmeter.protocol.http.control.AuthManager:
>>>>>>> Target URL strings to match against:
>http://tst-crm20.test.nl/TEST/
>>>>>>> main.aspx
>>>>>>>  and http://tst-crm20.test.nl:80/TEST/main.aspx
>>>>>>> <http://tst-crm20.test.nl/TEST/main.aspx>
>>>>>>> 2015/01/15 17:13:02 DEBUG -
>jmeter.protocol.http.control.AuthManager:
>>>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl
>>>>>>> 2015/01/15 17:13:02 DEBUG -
>jmeter.protocol.http.control.AuthManager:
>>>>>>> Matched
>>>>>>> 2015/01/15 17:13:02 DEBUG -
>jmeter.protocol.http.control.AuthManager:
>>>>>>> m.devrieze > D=TEST R= M=KERBEROS
>>>>>>> 2015/01/15 17:13:02 DEBUG -
>jmeter.protocol.http.control.CacheManager:
>>>>>>> GET(OAH) http://tst-crm20.test.nl/TEST/main.aspx null
>>>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.
>>>>>>> HC4CookieHandler:
>>>>>>> Found 0 cookies for http://tst-crm20.test.nl/TEST/main.aspx
>>>>>>> 2015/01/15 17:13:02 DEBUG -
>jmeter.protocol.http.control.CacheManager:
>>>>>>> inCache http://tst-crm20.test.nl/TEST/main.aspx null
>>>>>>> 2015/01/15 17:13:02 DEBUG -
>jmeter.protocol.http.control.AuthManager:
>>>>>>> Target URL strings to match against:
>http://tst-crm20.test.nl/TEST/
>>>>>>> main.aspx
>>>>>>>  and http://tst-crm20.test.nl:80/TEST/main.aspx
>>>>>>> <http://tst-crm20.test.nl/TEST/main.aspx>
>>>>>>> 2015/01/15 17:13:02 DEBUG -
>jmeter.protocol.http.control.AuthManager:
>>>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl
>>>>>>> 2015/01/15 17:13:02 DEBUG -
>jmeter.protocol.http.control.AuthManager:
>>>>>>> Matched
>>>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.
>>>>>>> KerberosManager:
>>>>>>> Subject cached:[] before:m.devrieze
>>>>>>> 2015/01/15 17:14:32 WARN  - jmeter.protocol.http.control.
>>>>>>> KerberosManager:
>>>>>>> Could not log in user m.devrieze javax.security.auth.login.
>>>>>>> LoginException:
>>>>>>> Receive timed out
>>>>>>>
>>>>>>>  It seems, that the kerberos server did not answer the request
>for a
>>>>>>
>>>>>> service ticket (at least not within the default timeout of 30s).
>>>>>> Could you rerun the test with the java system property
>>>>>> "sun.security.krb5.debug" set to true?
>>>>>>
>>>>>> Could you post the contents of your krb5.conf and jaas.conf file?
>>>>>>
>>>>>> Regards
>>>>>>  Felix
>>>>>>
>>>>>>
>>>>>>> *Thanks! *
>>>>>>>
>>>>>>> *Martijn de Vrieze*
>>>>>>>
>>>>>>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@jmeter.apache.org
>For additional commands, e-mail: user-help@jmeter.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@jmeter.apache.org
For additional commands, e-mail: user-help@jmeter.apache.org


Mime
View raw message