Jmeter Kerberos

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Jmeter Kerberos

chandrikak
Hi ,

I'm trying to use jmeter for Kerberos authentication but the authentication
is not happening successfully.

Here are the steps followed:

1.Updated the krb5.conf with right hosts and kdc details.
2. Add the applications url request (that is going to redirect to auth
server and after successfully validation it will redirect to the
application.)
3. Added the HTTP authorization manager and updated with the login
information.

Tried the following:
1. Add invalid login credentials, I get error in jmeter logs saying userid
not found in kdc. So this make sure that kdc config is right.
1. If I run this script, the auth servers redirects back to the same since
it was not able to authorize
2. If I add the http header and include the UserAgent string , I get an
error saying:

WARN  - org.apache.http.client.protocol.RequestTargetAuthentication:
NEGOTIATE authentication error: No valid credentials provided (Mechanism
level: No valid credentials provided (Mechanism level: Message stream
modified (41)))

WARN  - org.apache.http.client.protocol.RequestTargetAuthentication:
NEGOTIATE authentication error: No valid credentials provided (Mechanism
level: No valid credentials provided (Mechanism level: Message stream
modified (41)))

Response headers:

Responsecode: 401

Response message: Unauthorized

Response headers:

HTTP/1.1 401 Unauthorized

Date: Tue, 05 Jun 2018 20:11:24 GMT

Server:

Content-Length: 0

Connection: keep-alive

Host: xxx.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows; Trident/6.0)

WWW-Authenticate: Negotiate



Did anyone come across similar issue? Any suggestions/pointers ?


Thank you.
Reply | Threaded
Open this post in threaded view
|

Re: Jmeter Kerberos

Felix Schumacher


Am 06.06.2018 um 05:18 schrieb Swathi Chandrika:
> Hi ,
>
> I'm trying to use jmeter for Kerberos authentication but the authentication
> is not happening successfully.
>
> Here are the steps followed:
>
> 1.Updated the krb5.conf with right hosts and kdc details.
Could you show us the configuration? Replace the domain names with
something you would be comfortable to share publicly - like
domain.example.invalid and EXAMPLE.INVALID.
> 2. Add the applications url request (that is going to redirect to auth
> server and after successfully validation it will redirect to the
> application.)
> 3. Added the HTTP authorization manager and updated with the login
> information.

Have you set the JVM parameters

java.security.krb5.conf=krb5.conf
java.security.auth.login.config=jaas.conf

and do they point to the correct files?

I would use the newly added feature of specifying them in bin/setenv.sh
(for a linux system) by adding something like

KRB_CONF=${JMETER_HOME}/bin/krb5.conf
JAAS_CONF=${JMETER_HOME}/bin/jaas.conf
export JMETER_OPTS="-Djava.security.krb5.conf=${KRB_CONF}
-Djava.security.auth.login.config=${JAAS_CONF}"

to that (probably newly created) file.

If it still doesn't work. I would modify the jaas.conf file to include
debug=true so that it would probably read:

  JMeter {
     com.sun.security.auth.module.Krb5LoginModule required
     doNotPrompt=false
     useKeyTab=false
     debug=true
     storeKey=false;
};

And always have a look in jmeter.log.

>
> Tried the following:
> 1. Add invalid login credentials, I get error in jmeter logs saying userid
> not found in kdc. So this make sure that kdc config is right.
Good.

> 1. If I run this script, the auth servers redirects back to the same since
> it was not able to authorize
Maybe the server has a problem then? Are there any messages in the logs?

> 2. If I add the http header and include the UserAgent string , I get an
> error saying:
Which header do you add?

>
> WARN  - org.apache.http.client.protocol.RequestTargetAuthentication:
> NEGOTIATE authentication error: No valid credentials provided (Mechanism
> level: No valid credentials provided (Mechanism level: Message stream
> modified (41)))
>
> WARN  - org.apache.http.client.protocol.RequestTargetAuthentication:
> NEGOTIATE authentication error: No valid credentials provided (Mechanism
> level: No valid credentials provided (Mechanism level: Message stream
> modified (41)))
>
> Response headers:
>
> Responsecode: 401
>
> Response message: Unauthorized
>
> Response headers:
>
> HTTP/1.1 401 Unauthorized
>
> Date: Tue, 05 Jun 2018 20:11:24 GMT
>
> Server:
>
> Content-Length: 0
>
> Connection: keep-alive
>
> Host: xxx.com
>
> User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows; Trident/6.0)
>
> WWW-Authenticate: Negotiate
>
>
>
> Did anyone come across similar issue? Any suggestions/pointers ?

What is the answer JMeter gives to this 401 request?

Regards,
  Felix

>
>
> Thank you.
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Jmeter Kerberos

chandrikak
Thanks for the response Felix.

1. Yes the below two files are enabled in system.properties .:
(if i give wrong path, i get error in jmeter log, so validated it that way)

java.security.krb5.conf=krb5.conf
java.security.auth.login.config=jaas.conf

2. I am using windows machine and hence cannot configure the bin/setenv.sh

3.Request headers:

Connection: keep-alive
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows; Trident/6.0)


4. The server doesnt have any problem because the same uris works fine in
loadrunner and manually through browser as well.
When recording the script via Loadrunner, it is recording fine  succesfully,
but replay again throws same error:
> WARN  - org.apache.http.client.protocol.RequestTargetAuthentication:
> NEGOTIATE authentication error: No valid credentials provided (Mechanism
> level: No valid credentials provided (Mechanism level: Message stream
> modified (41)))
>
> WARN  - org.apache.http.client.protocol.RequestTargetAuthentication:
> NEGOTIATE authentication error: No valid credentials provided (Mechanism
> level: No valid credentials provided (Mechanism level: Message stream
> modified (41)))

5. Already update the JAAS to include debug=true.  here is the log response
in command prompt:


Debug is  true storeKey false useTicketCache false useKeyTab false
doNotPrompt f
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config
is fa
lse principal is null tryFirstPass is false useFirstPass is false storePass
is f
alse clearPass is false
                [Krb5LoginModule] user entered username: *testuser*

principal is *[hidden email]*
Commit Succeeded

6. krb5.conf

# Default Krb5.conf file for OctetString VDE 3.0

[libdefaults]
        default_realm = XXX.TEST.COM
        default_checksum = ***
        default_tkt_enctypes = ***
        default_tgs_enctypes = ***
        permitted_enctypes = ***
        udp_preference_limit=*
#       default_tgs_enctypes = **
#       default_tkt_enctypes = **
#       permitted_enctypes = **
##        clockskew=*
  ##      kdc_timeout=**
    ##    max_retries=*

[realms]
 

        xxx.test.COM = {
   
kdc = servername.XXX.TEST.COM
admin_server = servername.xxx.test.com
default_domain = XXX.TEST.COM
        }

       

[domain_realm]
       
        .xxx.test.com = XXX.TEST.COM
        xxx.test.com = XXX.TEST.COM
       
#[logging]
#        kdc = /opt/apps/Oracle/OViD/logs/local1
#        admin-server = /opt/apps/Oracle/OViD/logs/local2
#        default = /opt/apps/Oracle/OViD/logs/auth










--
Sent from: http://www.jmeter-archive.org/JMeter-User-f512775.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Jmeter Kerberos

Felix Schumacher


Am 08.06.2018 um 22:28 schrieb chandrikak:
> Thanks for the response Felix.
>
> 1. Yes the below two files are enabled in system.properties .:
> (if i give wrong path, i get error in jmeter log, so validated it that way)
>
> java.security.krb5.conf=krb5.conf
> java.security.auth.login.config=jaas.conf
You could try to set -Dsun.security.krb5.debug=true to get more debug
information. ||
||
>
> 2. I am using windows machine and hence cannot configure the bin/setenv.sh
But you could place those settings in bin/setenv.bat :)

>
> 3.Request headers:
>
> Connection: keep-alive
> User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows; Trident/6.0)
>
>
> 4. The server doesnt have any problem because the same uris works fine in
> loadrunner and manually through browser as well.
> When recording the script via Loadrunner, it is recording fine  succesfully,
> but replay again throws same error:
>> WARN  - org.apache.http.client.protocol.RequestTargetAuthentication:
>> NEGOTIATE authentication error: No valid credentials provided (Mechanism
>> level: No valid credentials provided (Mechanism level: Message stream
>> modified (41)))
>>
>> WARN  - org.apache.http.client.protocol.RequestTargetAuthentication:
>> NEGOTIATE authentication error: No valid credentials provided (Mechanism
>> level: No valid credentials provided (Mechanism level: Message stream
>> modified (41)))
The only things I found on google pointed to upper/lowercase problems
with the domain.
Check that you have uppercased the domain on every SPN: user@REALM

> 5. Already update the JAAS to include debug=true.  here is the log response
> in command prompt:
>
>
> Debug is  true storeKey false useTicketCache false useKeyTab false
> doNotPrompt f
> alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config
> is fa
> lse principal is null tryFirstPass is false useFirstPass is false storePass
> is f
> alse clearPass is false
>                  [Krb5LoginModule] user entered username: *testuser*
>
> principal is *[hidden email]*
> Commit Succeeded
>
> 6. krb5.conf
>
> # Default Krb5.conf file for OctetString VDE 3.0
>
> [libdefaults]
>          default_realm = XXX.TEST.COM
>          default_checksum = ***
>          default_tkt_enctypes = ***
>          default_tgs_enctypes = ***
>          permitted_enctypes = ***
I would omit all the above settings except the default_realm.

>          udp_preference_limit=*
> #       default_tgs_enctypes = **
> #       default_tkt_enctypes = **
> #       permitted_enctypes = **
> ##        clockskew=*
>    ##      kdc_timeout=**
>      ##    max_retries=*
>
> [realms]
>  
>
>          xxx.test.COM = {
>    
> kdc = servername.XXX.TEST.COM
> admin_server = servername.xxx.test.com
> default_domain = XXX.TEST.COM
Your kerberos domain is most probably set up correctly in DNS, so leave
out this section completely.

Regards,
  Felix

>          }
>
>        
>
> [domain_realm]
>        
>          .xxx.test.com = XXX.TEST.COM
>          xxx.test.com = XXX.TEST.COM
>        
> #[logging]
> #        kdc = /opt/apps/Oracle/OViD/logs/local1
> #        admin-server = /opt/apps/Oracle/OViD/logs/local2
> #        default = /opt/apps/Oracle/OViD/logs/auth
>
>
>
>
>
>
>
>
>
>
> --
> Sent from: http://www.jmeter-archive.org/JMeter-User-f512775.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

Reply | Threaded
Open this post in threaded view
|

Re: Jmeter Kerberos

chandrikak
thanks for the inputs.
1.  i dont find bin/setenv.bat file anywhere in my jmeter directory.

2. I tried just removing all contents in  krb5.conf .
i still see same error:

 WARN  - org.apache.http.client.protocol.RequestTargetAuthentication:
>> NEGOTIATE authentication error: No valid credentials provided (Mechanism
>> level: No valid credentials provided (Mechanism level: Message stream
>> modified (41)))

looks like jmeter is navigating to the krb5 and jaas files but the contents
are not being parsed?



--
Sent from: http://www.jmeter-archive.org/JMeter-User-f512775.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Jmeter Kerberos

Felix Schumacher


Am 8. Juni 2018 23:14:15 MESZ schrieb chandrikak <[hidden email]>:
>thanks for the inputs.
>1.  i dont find bin/setenv.bat file anywhere in my jmeter directory.

You can create one and jmeter 4.0 should use it.

Have you tried to set -Dsun.security.krb5.debug=true to get more debug?

>
>2. I tried just removing all contents in  krb5.conf .
>i still see same error:
>
> WARN  - org.apache.http.client.protocol.RequestTargetAuthentication:
>>> NEGOTIATE authentication error: No valid credentials provided
>(Mechanism
>>> level: No valid credentials provided (Mechanism level: Message
>stream
>>> modified (41)))
>
>looks like jmeter is navigating to the krb5 and jaas files but the
>contents
>are not being parsed?

I think it is more likely that the input data are not entirely correct.

What do you specify in the http authentication manager?

Felix

>
>
>
>--
>Sent from: http://www.jmeter-archive.org/JMeter-User-f512775.html
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [hidden email]
>For additional commands, e-mail: [hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]