Jmeter Kerberos authentication with SPNEGO

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Jmeter Kerberos authentication with SPNEGO

Peter.Isber@contractor.dimensional.com
Has anyone been successful in getting Jmeter to authenticate on a Windows client with a Windows server using "Negotiate" and Kerberos? This would look like a four step handshake in which the server responds first with a 302 re-direct, then twice with  401, Unauthorized, and finally with a 200, OK as the client sends progressively more security information.

If not, has anyone determined that this does not work work in Jmeter?

I can configure my HTTP Authorization Manager, and krb5.conf and jaas.conf files, but Jmeter will not respond to the challenge from the server. I am not seeing any Java exceptions. However, in the Jmeter log, for each of the last three request/response pairs, I see:

DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Authentication schemes in the order of preference: [Negotiate, Kerberos, NTLM, CredSSP, Digest, Basic]
DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Challenge for Kerberos authentication scheme not available
DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Challenge for CredSSP authentication scheme not available
DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Challenge for Digest authentication scheme not available
DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Challenge for Basic authentication scheme not available
Thanks.
This message and any attachments (the "Message") may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: https://legal.dimensional.com/email The sender of this Message is an independent contractor or consultant engaged by Dimensional Fund Advisors LP, its subsidiaries and/or affiliates (collectively, "DFA") for a limited purpose. The sender is not an employee, officer or director of DFA, and does not have the authority to enter into any agreement or undertaking on behalf of DFA or bind DFA in any way. Any questions concerning the authority of the sender should be directed to an appropriate officer or employee of DFA. For a list of DFA officers, please use this link: https://us.dimensional.com/firm/leadership
Reply | Threaded
Open this post in threaded view
|

Re: Jmeter Kerberos authentication with SPNEGO

Felix Schumacher

Am 11.02.19 um 21:31 schrieb [hidden email]:
> Has anyone been successful in getting Jmeter to authenticate on a Windows client with a Windows server using "Negotiate" and Kerberos? This would look like a four step handshake in which the server responds first with a 302 re-direct, then twice with  401, Unauthorized, and finally with a 200, OK as the client sends progressively more security information.

The 302 has probably nothing to do with the authentication (at least not
directly). The first 401 should include a WWW-Authenticate header with
Negotiate in it. This should tell JMeter to initialize a kerberos
context for a user and lead to a response with Authorization header that
starts with Negotiate and contains quite a bit of base64 encoded data.

I have yet only seen servers that sent the 200 after the first response
and don't need more information and I doubt that JMeter, or rather
httpclient supports a login that spans over more than one roundtrip.

>
> If not, has anyone determined that this does not work work in Jmeter?
>
> I can configure my HTTP Authorization Manager, and krb5.conf and jaas.conf files, but Jmeter will not respond to the challenge from the server. I am not seeing any Java exceptions. However, in the Jmeter log, for each of the last three request/response pairs, I see:
>
> DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Authentication schemes in the order of preference: [Negotiate, Kerberos, NTLM, CredSSP, Digest, Basic]
> DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Challenge for Kerberos authentication scheme not available
> DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Challenge for CredSSP authentication scheme not available
> DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Challenge for Digest authentication scheme not available
> DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Challenge for Basic authentication scheme not available

Are you sure, that your krb5.conf and jaas.conf are getting used? Try to
enable more debug information and have a look, whether you really ask
for kerberos tickets on the JMeter side.

Regards,

 ¬†Felix

> Thanks.
> This message and any attachments (the "Message") may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: https://legal.dimensional.com/email The sender of this Message is an independent contractor or consultant engaged by Dimensional Fund Advisors LP, its subsidiaries and/or affiliates (collectively, "DFA") for a limited purpose. The sender is not an employee, officer or director of DFA, and does not have the authority to enter into any agreement or undertaking on behalf of DFA or bind DFA in any way. Any questions concerning the authority of the sender should be directed to an appropriate officer or employee of DFA. For a list of DFA officers, please use this link: https://us.dimensional.com/firm/leadership
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]