KERBEROS ATHENTICATIOn - HTTP 401 unauthorized

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

KERBEROS ATHENTICATIOn - HTTP 401 unauthorized

tanwadh
Hi Team,

I come across application where Kerboros authentication is being used. It is
confirmed with the error message "Kerberos Authentication Error" in the
replay corresponding to the url. Please find below configuration which has
been done so far.


Jmeter Version - Jmeter 3.2
Error Message - Server not found in Kerberos database (7)

Any leads for the shared error message?


krb5.configuration

##############################################################################
[libdefaults]
    default_realm = PC.INTERNAL.XXXX.COM
    udp_preference_limit = 1
    default_tkt_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
        default_tgs_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
 
[realms]
    PC.INTERNAL.XXXX.COM = {

        kdc = PC.INTERNAL.XXXX.COM:88
        default_domain = PC.INTERNAL.XXXX.COM
    }
 
[domain_realm]
    .pc.internal.XXXX.com = PC.INTERNAL.XXXX.COM

################################################################################
jaas.configuration


JMeter {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=false
    useKeyTab=false
    storeKey=false
        debug=true;
};

################################################################################
Jmeter Test Plan

HTTP AUTHORIZATION MANAGER has been added as a child of fail sample. Please
find below configuration for the same.

BaseUrl- Empty
Username - Entered
Password - Entered
Domain - PC.INTERNAL.XXXX
Realm - PC.INTERNAL.XXXX.COM
Mechanism - KERBEROS

HTTP implementation is HTTPCLIENT4

################################################################################
System.properties

java.security.krb5.conf=krb5.conf
java.security.auth.login.config=jaas.conf

Debug config has been done to get the error message during the replay.

java.security.debug=gssloginconfig,configfile,configparser‌​,logincontext
sun.security.krb5.debug=true

################################################################################

Jmeter.Properties

# Name of application module used in jaas.conf
kerberos_jaas_application=JMeter  


################################################################################

Please find below stack trace for the same

Java config name: krb5.conf
Loaded from Java config
                [Krb5LoginModule] user entered username: USERNAME

>>> KdcAccessibility: reset
default etypes for default_tkt_enctypes: 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=PC.INTERNAL.XXXX.COM TCP:88, timeout=30000, number
>>> of retries =3, #bytes=168
>>> KDCCommunication: kdc=PC.INTERNAL.XXXX.COM TCP:88, timeout=30000,Attempt
>>> =1, #bytes=168
>>>DEBUG: TCPClient reading 226 bytes
>>> KrbKdcReq send: #bytes read=226
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = PC.INTERNAL.XXXX.COMUSERNAME,
s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

>>> KdcAccessibility: remove PC.INTERNAL.XXXX.COM:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Mon Nov 27 10:30:55 IST 2017 1511758855000
         suSec is 84719
         error code is 25
         error Message is Additional pre-authentication required
         sname is krbtgt/[hidden email]
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = PC.INTERNAL.XXXX.COMUSERNAME,
s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18 17.
default etypes for default_tkt_enctypes: 18 17.

>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=PC.INTERNAL.XXXX.COM TCP:88, timeout=30000, number
>>> of retries =3, #bytes=250
>>> KDCCommunication: kdc=PC.INTERNAL.XXXX.COM TCP:88, timeout=30000,Attempt
>>> =1, #bytes=250
>>>DEBUG: TCPClient reading 4421 bytes
>>> KrbKdcReq send: #bytes read=4421
>>> KdcAccessibility: remove PC.INTERNAL.XXXX.COM:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply USERNAME
principal is [hidden email]
Commit Succeeded

Found ticket for [hidden email] to go to
krbtgt/[hidden email] expiring on Mon Nov 27
20:30:55 IST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for [hidden email] to go to
krbtgt/[hidden email] expiring on Mon Nov 27
20:30:55 IST 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 18 17.

>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbKdcReq send: kdc=PC.INTERNAL.XXXX.COM TCP:88, timeout=30000, number
>>> of retries =3, #bytes=4349
>>> KDCCommunication: kdc=PC.INTERNAL.XXXX.COM TCP:88, timeout=30000,Attempt
>>> =1, #bytes=4349
>>>DEBUG: TCPClient reading 134 bytes
>>> KrbKdcReq send: #bytes read=134
>>> KdcAccessibility: remove PC.INTERNAL.XXXX.COM:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
         sTime is Mon Nov 27 10:30:57 IST 2017 1511758857000
         suSec is 32968
         error code is 7
         error Message is Server not found in Kerberos database
         sname is HTTP/[hidden email]
         msgType is 30
KrbException: Server not found in Kerberos database (7)
        at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
        at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown
Source)
        at
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown
Source)
        at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
        at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
        at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
        at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown
Source)
        at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown
Source)
        at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
        at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
        at
org.apache.http.impl.auth.GGSSchemeBase.generateGSSToken(GGSSchemeBase.java:124)
        at
org.apache.http.impl.auth.SPNegoScheme.generateToken(SPNegoScheme.java:95)
        at
org.apache.http.impl.auth.GGSSchemeBase.authenticate(GGSSchemeBase.java:223)
        at
org.apache.http.impl.auth.SPNegoScheme.authenticate(SPNegoScheme.java:85)
        at
org.apache.http.client.protocol.RequestAuthenticationBase.authenticate(RequestAuthenticationBase.java:120)
        at
org.apache.http.client.protocol.RequestAuthenticationBase.process(RequestAuthenticationBase.java:83)
        at
org.apache.http.client.protocol.RequestTargetAuthentication.process(RequestTargetAuthentication.java:82)
        at
org.apache.http.protocol.ImmutableHttpProcessor.process(ImmutableHttpProcessor.java:133)
        at
org.apache.http.protocol.HttpRequestExecutor.preProcess(HttpRequestExecutor.java:167)
        at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:484)
        at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
        at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
        at
org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.lambda$executeRequest$3(HTTPHC4Impl.java:632)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Unknown Source)
        at
org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.executeRequest(HTTPHC4Impl.java:630)
        at
org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.sample(HTTPHC4Impl.java:413)
        at
org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:74)
        at
org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.followRedirects(HTTPSamplerBase.java:1542)
        at
org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.resultProcessing(HTTPSamplerBase.java:1636)
        at
org.apache.jmeter.protocol.http.sampler.HTTPAbstractImpl.resultProcessing(HTTPAbstractImpl.java:519)
        at
org.apache.jmeter.protocol.http.sampler.HTTPHC4Impl.sample(HTTPHC4Impl.java:493)
        at
org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:74)
        at
org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1189)
        at
org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1178)
        at
org.apache.jmeter.threads.JMeterThread.executeSamplePackage(JMeterThread.java:491)
        at
org.apache.jmeter.threads.JMeterThread.processSampler(JMeterThread.java:425)
        at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:254)
        at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(Unknown Source)
        at sun.security.krb5.internal.TGSRep.init(Unknown Source)
        at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
        ... 42 more



--
Sent from: http://www.jmeter-archive.org/JMeter-User-f512775.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: KERBEROS ATHENTICATIOn - HTTP 401 unauthorized

glinius@live.com
As per  Kerberos and LDAP Troubleshooting Tips
<https://technet.microsoft.com/en-us/library/bb463167.aspx?f=255&MSPPError=-2147217396>  


> The error “Server not found in Kerberos database” is common and can be
> misleading because it often appears when the service principal is not
> missing. The error can be caused by domain/realm mapping problems or it
> can be the result of a DNS problem where the service principal name is not
> being built correctly. Server logs and network traces can be used to
> determine what service principal is actually being requested

So most likely your *krb5.conf* file is not configured properly, you you are
sending incorrect credentials.

Check out  Windows Authentication with Apache JMeter
<https://www.blazemeter.com/blog/windows-authentication-apache-jmeter>  
article for detailed information on how to configure JMeter for Kerberos
authentication.



--
Sent from: http://www.jmeter-archive.org/JMeter-User-f512775.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]