Return-Path: X-Original-To: apmail-jmeter-user-archive@www.apache.org Delivered-To: apmail-jmeter-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CD3B910610 for ; Fri, 16 Jan 2015 12:26:11 +0000 (UTC) Received: (qmail 64607 invoked by uid 500); 16 Jan 2015 12:26:13 -0000 Delivered-To: apmail-jmeter-user-archive@jmeter.apache.org Received: (qmail 64570 invoked by uid 500); 16 Jan 2015 12:26:13 -0000 Mailing-List: contact user-help@jmeter.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "JMeter Users List" Delivered-To: mailing list user@jmeter.apache.org Received: (qmail 64559 invoked by uid 99); 16 Jan 2015 12:26:13 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Jan 2015 12:26:13 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [81.169.162.220] (HELO h1611079.stratoserver.net) (81.169.162.220) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Jan 2015 12:25:48 +0000 Received: from [10.181.234.158] (unknown [89.204.137.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by h1611079.stratoserver.net (Postfix) with ESMTPSA id AAE644948024 for ; Fri, 16 Jan 2015 13:25:45 +0100 (CET) User-Agent: K-9 Mail for Android In-Reply-To: References: <3bafa35e1f06ad443d8a11d12520efc2@www.internetallee.de> <3b087888af4d13d4d207368c4884104e@www.internetallee.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Subject: Re: Jmeter user authentication over Kerberos not succeeding From: Felix Schumacher Date: Fri, 16 Jan 2015 13:25:39 +0100 To: JMeter Users List Message-ID: <6E6CA60D-7B21-42D9-BAF9-DFB2A8337C73@internetallee.de> X-Virus-Checked: Checked by ClamAV on apache.org Am 16. Januar 2015 13:21:32 MEZ, schrieb Martijn de Vrieze : >Hey Felix, > >you are indeed right! Got it working now. Needed to flip the URL in >krb5 to the Domain Controller and switch off the default_tkt_enctypes >and default_tgs_enctypes Glad, that I could help you. > >How do I stop anwsering in top-post style? Sorry, no idea what I >should do differently, I just hit reply in gmail. Can't help you there, but a google search might help. Regards Felix > > > >On Fri, Jan 16, 2015 at 12:59 PM, Felix Schumacher > wrote: >> >> Am 16.01.2015 10:49, schrieb Martijn de Vrieze: >>> >>> Hey Felix, >>> >>> thanks for the help so far :) >>> BTW, does it make a difference that I am working from a 64b Linux >box? >>> Although when within the domain, on a windows (citrix) box I get the >same >>> errors. >> >> I do my testing from linux, so I am sure, that linux works. >> >>> >>> I started off initially trying it over 88, which gives the exact >same >>> time-out. >> >> Then maybe not only the port is wrong, but the dns name also? The kdc >is not the website server you are trying to connect to, but the key >distribution center, that is the kerberos server. >> >>> >>> When I asked the implementation partner they claimed it should just >run >>> over 443, but than again, what do they know :) >> >> If they tell you it is 443, they probably mean the webserver, which >is most likely not the kdc. >> >>> >>> One thing I have noticed so far, is that the request headers contain >>> nothing towards auth types: >> >> That is OK, since you have no TGT or service ticket and if it is the >first request no knowlegde, that the server is willing to speak SPNEGO. >> >> >>> >>> >>> Request Headers: >>> Connection: keep-alive >>> User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; >WOW64; >>> Trident/6.0) >>> Accept: >text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >>> Accept-Language: en-US,en;q=0.5 >>> Accept-Encoding: gzip, deflate >>> Pragma: no-cache >>> Cache-Control: no-cache >>> Host: tst-crm20.veh.nl >>> >>> Whereas the response header does tell me the www-auth => negotiate >>> >>> Thread Name: Jmeter 1-1 >>> Sample Start: 2015-01-16 10:36:01 CET >>> Load time: 90209 >>> Latency: 90208 >>> Size in bytes: 485 >>> Headers size in bytes: 425 >>> Body size in bytes: 60 >>> Sample Count: 1 >>> Error Count: 1 >>> Response code: 401 >>> Response message: Unauthorized >>> >>> Response headers: >>> HTTP/1.1 401 Unauthorized >>> Cache-Control: private >>> Transfer-Encoding: chunked >>> Content-Type: text/plain >>> Server: Microsoft-IIS/8.5 >>> X-AspNet-Version: 4.0.30319 >>> REQ_ID: e73cba80-97e4-4444-a201-a50ab6957a31 >>> Set-Cookie: ReqClientId=51c362af-23e0-4dad-a299-10e6bf67c310; >expires=Fri, >>> 16-Jan-2065 09:37:31 GMT; path=/; secure; HttpOnly >>> WWW-Authenticate: Negotiate >> >> This is good, as it means that the server is willing to speak SPNEGO >with you. >> >>> X-Powered-By: ASP.NET >>> Date: Fri, 16 Jan 2015 09:37:31 GMT >>> >>> >>> HTTPSampleResult fields: >>> ContentType: text/plain >>> DataEncoding: null >>> >>> >>> >>> Also, Tried connecting straight through Java and that worked like a >charm. >>> >>> Code is somewhat like this: >>> >>> public class NTLM_ping { >>> public NTLM_ping(){ >>> super(); >>> } >>> >>> public static void main(String[]args) throws Exception { >>> >>> DefaultHttpClient httpClient = new DefaultHttpClient(); >>> httpClient.getAuthSchemes().register("ntlm",new >>> NTLMSchemeFactory()); >> >> That is great, but you are not using kerberos here. >> >> This is NTLM, which you could use with jmeter, too. I believe you >have to fill in the domain and >> realm columns and use BASIC_DIGEST instead of Kerberos. >> >> But keep in mind, that kerberos is cooler and probably more secure. >> >>> >>> // add credentials >>> >>> httpClient.getCredentialsProvider().setCredentials( >>> new AuthScope("TEST", -1), >>> new >NTCredentials("m.devrieze","PassWord","tst-crm20.test.nl >>> ","TEST")); >>> >>> HttpGet httpGet = new HttpGet("http://tst-crm20.test.nl"); >>> >>> // ignore cookies >>> >/*httpGet.getParams().setParameter("http.protocol.cookie-policy", >>> CookiePolicy.ACCEPT_ALL); >>> */ >>> try{ >>> // execute the GET >>> HttpResponse status = httpClient.execute(httpGet); >>> System.out.println(status.getProtocolVersion()); >>> >System.out.println(status.getStatusLine().getStatusCode()); >>> >System.out.println(status.getStatusLine().getReasonPhrase()); >>> System.out.println(status.getStatusLine().toString()); >>> }finally { >>> // release any sources >>> } >>> >> And by the way, could you stop answering in top-post style? >> >> Regards >> Felix >> >> >>> >>> >>> >>> On Fri, Jan 16, 2015 at 10:21 AM, Felix Schumacher < >>> felix.schumacher@internetallee.de> wrote: >>> >>>> Am 16.01.2015 09:58, schrieb Martijn de Vrieze: >>>> >>>>> krb5.conf >>>>> >>>>> [libdefaults] >>>>> default_realm = TEST.NL >>>>> default_tkt_enctypes = >aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>>>> default_tgs_enctypes = >aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>>>> forwardable=true >>>>> >>>>> [realms] >>>>> TEST.NL = { >>>>> kdc = tst-crm20.test.nl:443 >>>>> >>>> This is a strange port for a kdc. I would expect it to listen on >88. >>>> >>>> } >>>>> >>>>> >>>>> [domain_realm] >>>>> test.nl= TEST.NL >>>>> .test.nl= TEST.NL >>>>> >>>>> [appdefaults] >>>>> pam = { >>>>> debug = false >>>>> ticket_lifetime = 36000 >>>>> renew_lifetime = 36000 >>>>> forwardable = true >>>>> krb4_convert = false >>>>> } >>>>> >>>>> jaas.conf >>>>> >>>>> >>>>> JMeter { >>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>> doNotPrompt=false >>>>> useKeyTab=false >>>>> storeKey=false; >>>>> }; >>>>> >>>>> On rerunning I recieved the following error (which I have not seen >before: >>>>> 2015/01/16 09:57:52 WARN - >>>>> org.apache.http.client.protocol.RequestTargetAuthentication: >NEGOTIATE >>>>> authentication error: No valid credentials provided (Mechanism >level: No >>>>> valid credentials provided (Mechanism level: Failed to find any >Kerberos >>>>> tgt)) >>>>> >>>> That is probably because you don't connect to the right port and >noone >>>> responds to you. Try another kdc port. >>>> >>>> Regards >>>> Felix >>>> >>>>> >>>>> *Martijn de Vrieze* >>>>> >>>>> >>>>> >>>>> Phone: +31618707784 | Skype: martijndevrieze | gtalk: >>>>> martijndevrieze@qa-rocks.com | Twitter: >>>>> http://www.twitter.com/martijndevrieze | Linkedin: >>>>> http://www.linkedin.com/in/martijndevrieze | Home: >>>>> http://www.martijndevrieze.nl >>>>> >>>>> On Fri, Jan 16, 2015 at 9:01 AM, Felix Schumacher < >>>>> felix.schumacher@internetallee.de> wrote: >>>>> >>>>> Am 15.01.2015 22:48, schrieb Martijn de Vrieze: >>>>>> >>>>>> >>>>>> I have been struggling somewhat with JMeter and kerberos lately. >Google >>>>>> so >>>>>> >>>>>>> far has not been able to help me out with the issue I am facing. >>>>>>> >>>>>>> The system under test is a Microsoft CRM 2013 platform, up until >a few >>>>>>> days >>>>>>> ago my tests worked fine since basic auth was switched on. >However on >>>>>>> the >>>>>>> most recent drop with changes they also switched over to >kerberos auth >>>>>>> only. >>>>>>> >>>>>>> I have: >>>>>>> * filled in the KRB5.CONF with all relevant information >>>>>>> * HTTP AUTH Manager in the script with base URL, username, >password, >>>>>>> domain and KERBEROS filled in >>>>>>> * HTTP Request defaults to ensure and enforce HTTP4 use, HTTPS >over port >>>>>>> 443 and the same base URL all over the place >>>>>>> >>>>>>> However I cannot get it to work properly, logging in simply >refuses to >>>>>>> work >>>>>>> for me. I'd really appreciate some help here, I use Jmeter >fairly often, >>>>>>> with this I am however completely stuck. >>>>>>> >>>>>>> When running the first step, which instantly receives the >KERBEROS ath >>>>>>> request I get the following in my logs: >>>>>>> >>>>>>> 2015/01/15 17:13:02 INFO - jmeter.threads.JMeterThread: Thread >started: >>>>>>> Jmeter 1-1 >>>>>>> 2015/01/15 17:13:02 INFO - jmeter.services.FileServer: Stored: >>>>>>> users.csv >>>>>>> 2015/01/15 17:13:02 DEBUG - >jmeter.protocol.http.control.CacheManager: >>>>>>> GET(OAH) http://tst-crm20.test.nl/TEST/main.aspx null >>>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control. >>>>>>> HC4CookieHandler: >>>>>>> Found 0 cookies for http://tst-crm20.test.nl/TEST/main.aspx >>>>>>> 2015/01/15 17:13:02 DEBUG - >jmeter.protocol.http.control.CacheManager: >>>>>>> inCache http://tst-crm20.test.nl/TEST/main.aspx null >>>>>>> 2015/01/15 17:13:02 DEBUG - >jmeter.protocol.http.control.AuthManager: >>>>>>> Target URL strings to match against: >http://tst-crm20.test.nl/TEST/ >>>>>>> main.aspx >>>>>>> and http://tst-crm20.test.nl:80/TEST/main.aspx >>>>>>> >>>>>>> 2015/01/15 17:13:02 DEBUG - >jmeter.protocol.http.control.AuthManager: >>>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl >>>>>>> 2015/01/15 17:13:02 DEBUG - >jmeter.protocol.http.control.AuthManager: >>>>>>> Matched >>>>>>> 2015/01/15 17:13:02 DEBUG - >jmeter.protocol.http.control.AuthManager: >>>>>>> Target URL strings to match against: >http://tst-crm20.test.nl/TEST/ >>>>>>> main.aspx >>>>>>> and http://tst-crm20.test.nl:80/TEST/main.aspx >>>>>>> >>>>>>> 2015/01/15 17:13:02 DEBUG - >jmeter.protocol.http.control.AuthManager: >>>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl >>>>>>> 2015/01/15 17:13:02 DEBUG - >jmeter.protocol.http.control.AuthManager: >>>>>>> Matched >>>>>>> 2015/01/15 17:13:02 DEBUG - >jmeter.protocol.http.control.AuthManager: >>>>>>> m.devrieze > D=TEST R= M=KERBEROS >>>>>>> 2015/01/15 17:13:02 DEBUG - >jmeter.protocol.http.control.CacheManager: >>>>>>> GET(OAH) http://tst-crm20.test.nl/TEST/main.aspx null >>>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control. >>>>>>> HC4CookieHandler: >>>>>>> Found 0 cookies for http://tst-crm20.test.nl/TEST/main.aspx >>>>>>> 2015/01/15 17:13:02 DEBUG - >jmeter.protocol.http.control.CacheManager: >>>>>>> inCache http://tst-crm20.test.nl/TEST/main.aspx null >>>>>>> 2015/01/15 17:13:02 DEBUG - >jmeter.protocol.http.control.AuthManager: >>>>>>> Target URL strings to match against: >http://tst-crm20.test.nl/TEST/ >>>>>>> main.aspx >>>>>>> and http://tst-crm20.test.nl:80/TEST/main.aspx >>>>>>> >>>>>>> 2015/01/15 17:13:02 DEBUG - >jmeter.protocol.http.control.AuthManager: >>>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl >>>>>>> 2015/01/15 17:13:02 DEBUG - >jmeter.protocol.http.control.AuthManager: >>>>>>> Matched >>>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control. >>>>>>> KerberosManager: >>>>>>> Subject cached:[] before:m.devrieze >>>>>>> 2015/01/15 17:14:32 WARN - jmeter.protocol.http.control. >>>>>>> KerberosManager: >>>>>>> Could not log in user m.devrieze javax.security.auth.login. >>>>>>> LoginException: >>>>>>> Receive timed out >>>>>>> >>>>>>> It seems, that the kerberos server did not answer the request >for a >>>>>> >>>>>> service ticket (at least not within the default timeout of 30s). >>>>>> Could you rerun the test with the java system property >>>>>> "sun.security.krb5.debug" set to true? >>>>>> >>>>>> Could you post the contents of your krb5.conf and jaas.conf file? >>>>>> >>>>>> Regards >>>>>> Felix >>>>>> >>>>>> >>>>>>> *Thanks! * >>>>>>> >>>>>>> *Martijn de Vrieze* >>>>>>> >>>>>>> > >--------------------------------------------------------------------- >To unsubscribe, e-mail: user-unsubscribe@jmeter.apache.org >For additional commands, e-mail: user-help@jmeter.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@jmeter.apache.org For additional commands, e-mail: user-help@jmeter.apache.org