Jmeter Windows Authentication error - 401 - performance-testing

I am trying to record an internal website for which i need to enter credentials that is not same as the windows credential. Later on the same test needs to be run for more than one user. i know how to use the csv file to pass the parameters - username and password.
For Windows Authentication i have added Authorization manager.
From Fiddler i checked it was NTLM authentication(though i am not sure yet) and i did enter the values for NTLM authentication in Authorization Manager.
Now when i try and record the internal website - i cannot even go to homepage after the windows credentials, it keeps on spinning.
When i check the Authorization Manager, i find an extra line added for kerberos Authentication as shown in Picture:
My query here is:
1)why is it recording it as kerberos
2)where is it saving the username and password
3)why is it not loading the website- always keeps spinning and i have to stop it
4)I have tried Kerberos settings and then record, but its not working either , could it be i am using the wrong values in the kerb5.conf file , how do i debug.
Kind of stuck at the moment.
Thanks for help!

If you're uncertain what authentication is being used under the hood - just ask around, application developers or network administrators should be aware of the external authentication scheme. You can also try using a 3rd-party tool like Kerberos Authentication Tester
I don't think you can record and replay Windows authentication so it makes sense to start recording some time after the login screen as long as you can login using JMeter
Looking into JMeter source
// if HEADER_AUTHORIZATION contains "Basic"
// then set Mechanism.BASIC_DIGEST, otherwise Mechanism.KERBEROS
In case of Kerberos credentials are saved directly in the HTTP Authorization Manager in form of ${AUTH_LOGIN} and ${AUTH_PASSWORD}, real credentials are not stored anywhere
Most probably your application doesn't receive valid authentication context therefore it cannot proceed
Add sun.security.krb5.debug=true line to system.properties file (lives in "bin" folder of your JMeter installation), JMeter restart will be required to pick the property up.
More information:
Windows Authentication with Apache JMeter
JAAS and Java GSS-API Tutorials

Related

JMeter load test for Application authenticated with Azure AD

I'm new to JMeter and trying to create test case.The application is using OAuth 2.0 azure active directory authentication,I followed one the post https://blog.pnop.co.jp/jmeter-webapps-azuread-auth_en/ and was able to do http request to app but in return I'm getting below error:
We can't sign you in
Your browser is currently set to block cookies. You need to allow cookies to use this service.
Cookies are small text files stored on your computer that tell us when you're signed in. To learn how to allow cookies, check the online help in your web browser.
I took care of CookieManager.save.cookies=true in user.properties but still cookies are giving me hard-time though I could see cookies populating in request header being sent
If someone have a crack of similar scenario then that would be great help
Thanks
Have you added HTTP Cookie Manager to your test plan?
If yes and you're still experiencing problems try:
Checking jmeter.log file for any suspicious entries
Choose a more "relaxed" implementation for the cookie manager, i.e. netscape
Add the next line to user.properties file:
CookieManager.check.cookies=false
JMeter restart will be required to pick up the change
More information: HTTP Cookie Manager Advanced Usage - A Guide

SAP Commerce / Hybris denies oAuth login

My problem is that the oAuth gets denied on our test server but it works on our live and development (local) servers.
Is there something specific what I have to configure to make it work on antoher server?
I compared the platform folder with test and live, both are identical.
I created same oAuth logins on both servers, didn't work.
I tried to login through the ip, to avoid apache, didn't helped.
Now I am kind of lost where to look next.
To test my login I use Swagger or Postman with this url: https://test.shop/authorizationserver/oauth/token with Basic Authorization.
The reponse is: {"error":"invalid_client","error_description":"Bad client credentials"} but it is wrong.
This is the configuration for the user:
I had besides this problem, an equal one on the live system. Our apache removed the Authorization from the header to get the Backoffice working, which is protected through the htaccess. When I was researching this problem, I got the same error as this one. Now everything works fine on live. I corrected the same thing on test, tried even uninstall apache, but the login is still not working.
You need configure oAuthClient for SmartEdit by running following Impex:
INSERT_UPDATE OAuthClientDetails;clientId[unique=true];resourceIds;scope[mode=append];authorizedGrantTypes;accessTokenValiditySeconds;authorities;clientSecret;;smartedit;hybris;basic,permissionswebservices,previewwebservices;password,client_credentials;3600;;;
For details, please see:
Configuring oAuthClient for SmartEdit
Can you please check if the configurations are similar? If yes then there is something env specific and needs to be debugged individually.
We fixed the problem by pasting the correct "OAuth client secret" into the "Password" and "Verify password" field. This was initialized via impex with an old value (but not visible to the user in the dialog as seen in the lower screen).

IIS (windows auth) prompts for creds on one server, not on the other

An existing Win2016 server with IIS10 prompts for creds on a simple website set up with Windows Authentication. A new server does not.
I have an existing Win2016 server running IIS. I set up a simple website with one .htm page that says Hello World. If I turn on Windows Authentication only, the browser continually prompts for username/password. I want Kerberos authentication only, so the Providers list contains Negotiate only. Enable Kernel-mode authentication is selected. The app pool is running as Network Service. The target browser is Chrome.
After many hours going nowhere with this problem, I decided to build a new box with the same spec. After setting up the site in the same way, I do not get prompted by the browser! Strange!
Both boxes are domain joined and seemingly have the same GPOs applied.
Can anyone advise on how I can get the first server to behave like the second? Unfortunately moving to the new box is not an option at this stage. Any help on a structured methodology for diagnosing the Kerberos exchange between server and client would be most helpful.
Thank you.

using CCtray with Jenkins, while security enabled (using HTTPS)

I configured my Jenkins server to only use HTTPS and enabled security.
As well I don't like anybody who's not logged on to see the Dashboard (even if it would be empty). Here for I disabled the 'read' access for 'anonymous'.
So far all this works exactly to my likings :)
But wanting to add some build notification functionality to remote clients by e.g. using something like 'CCtray' I run into trouble. The access to the https://<SERVER>/cc.xml now only works for logged in users.
Where I would have liked to be able to get those notifications for 'anonymous'.
Probably combining these wishes is kind of contradictory - I suppose?
Maybe someone has a better idea which could match my likings?
Possibly any other notification tool which can be used???
For the Mercurial hook triggering the sw-builds I can use a construction like
curl --cacert <CERTIFICATE> https://<USER>:<PASSWORD>#<SERVER>/job/MyPROJECT/build?delay=0sec
But a similar approach for the URL in CCtray doesn't seem to work.
I've just started using the cctray Jenkins transport extension. Early days, but it seems to work as advertised and is connecting to our secure server perfectly happily.
Currently, the only significant limitation seems to be that if your password expires there's no way to re-enter your credentials.
For Jenkins servers without anonymous access, you can use Catlight build notification tool. You can provide access token or username/password to authenticate to your server.
I you have a self-signed ssl certificate, make sure that you add it to trusted by OS. That way, most applications will recognize it and connect to server without warnings.
Adding to #MrBlueSky 's answer, you can avoid the password expiration hassle; simply use a Jenkins-issued API Token instead of your password.
Log into Jenkins
Click your username (in the upper right corner)
Click Configure (in the left navbar)
Click Show API Token
Use this token in place of your password when setting up the Jenkins Transport settings

QTweetLib and request_token

I've just compiled QTweetLib on my linux host. I've compiled and run pinauthstatusupdate example without any changes. But when I try to get request_token I've get:
Failed to validate oauth signature and token
I synced time on my host:
using sudo ntpdate pool.ntp.org
But no changes...
The I changed consumer keys with keys which Twitter creates for my application. But I got same problem.
I checked the base string using http://quonos.nl/oauthTester/ and it says my base string is OK.
Here is raw header which QTweetLib creates:
OAuth
oauth_consumer_key="YImPrR11sLxv0ZjjKAskA",oauth_signature_method="HMAC-SHA1",oauth_signature="WQnBaTgyuU6HkPT7DqTkNK1MT5c%3D",oauth_timestamp="1325542113",oauth_nonce="J5oUsjoOE34e1iTE",oauth_version="1.0"
So what's the problem?
According to QTweetLib's readme it supports only xAuth. Is your Twitter application xAuth enabled? If not you need to request it to be enabled for your application by sending email to api#twitter.com and stating some valid reasons why you can't just use OAuth.
Have you looked at KQOAuth (http://www.d-pointer.com/solutions/kqoauth/)? It supports 'normal' OAuth by utilizing the web browser of the environment and a temporary local web server. I think I read somewhere that it might get integrated to Qt5 in some form and thus it would probably be a safer bet than QTweetLib.

Resources