Kerberos/Spnego authentication Issues

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos/Spnego authentication Issues

Akhilekhya Avantsa
Hi Team,

I am facing 401 unauthorized error for Kerberos authentication (spnego) using JMeter.

For JMeter Kerberos setup - I have configured krb5.conf, jaas.conf and system properties of Jmeter. Also added domain and realm to the HTTP Authorization Manager yet getting  authentication issues.
I have also enabled the Kerberos for the browser and able to record the scenarios  but getting as SPNEGO authentication not supported in the recorded response code.

Please help me with the steps to set up Jmeter for Kerberos authentication and suggestions to resolve the issue


Regards,
Akhilekhya Avantsa,
Test Analyst,
Infosys Ltd, India
+91 8639828304.
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos/Spnego authentication Issues

Felix Schumacher

Am 17.11.20 um 20:23 schrieb Akhilekhya Avantsa:
> Hi Team,
>
> I am facing 401 unauthorized error for Kerberos authentication (spnego) using JMeter.
>
> For JMeter Kerberos setup - I have configured krb5.conf, jaas.conf and system properties of Jmeter. Also added domain and realm to the HTTP Authorization Manager yet getting  authentication issues.

Can you give us more details? Always remember, we can't see you setup
and have to guess what you mean by configured X or added Y. There are
tons of ways to configure something and not all are correct.

Are there any Kerberos/auth/SPNEGO related messages in jmeter.log? What
are the headers looking like in the request/responses?

I often stumble upon configuring the wrong paths for krb5.conf or
jaas.conf, especially when using relative paths.

If there are not enough log messages to help me, I try to tell Java to
give me more. Try to add 'debug = true' to jaas.conf and/or |add
-Dsun.security.krb5.debug=true to the environment variable JVM_ARGS.|

Felix

> I have also enabled the Kerberos for the browser and able to record the scenarios  but getting as SPNEGO authentication not supported in the recorded response code.
>
> Please help me with the steps to set up Jmeter for Kerberos authentication and suggestions to resolve the issue. ||
>
>
> Regards,
> Akhilekhya Avantsa,
> Test Analyst,
> Infosys Ltd, India
> +91 8639828304.
>
Reply | Threaded
Open this post in threaded view
|

RE: Kerberos/Spnego authentication Issues

Akhilekhya Avantsa
Hi Felix,

Thank you for the prompt response.

I have recorded a script for launching the SSO application of type Kerberos/Spnego authentication.(automatically logins when the application is launched) and captured the logs for the same.

Attached folder contains the JMeter log file, logs captured while recording , the properties and configuration files I modified and the error screenshots.

Please validate and suggest me if any changes required to achieve successful Kerberos authentication for the script.

Thanks & Regards,
Akhilekhya Avantsa,
Test Analyst,
Infosys Ltd, India
+91 8639828304.

-----Original Message-----
From: Felix Schumacher <[hidden email]>
Sent: Wednesday, November 18, 2020 4:06 PM
To: [hidden email]
Subject: Re: Kerberos/Spnego authentication Issues

[**EXTERNAL EMAIL**]

Am 17.11.20 um 20:23 schrieb Akhilekhya Avantsa:
> Hi Team,
>
> I am facing 401 unauthorized error for Kerberos authentication (spnego) using JMeter.
>
> For JMeter Kerberos setup - I have configured krb5.conf, jaas.conf and system properties of Jmeter. Also added domain and realm to the HTTP Authorization Manager yet getting  authentication issues.

Can you give us more details? Always remember, we can't see you setup and have to guess what you mean by configured X or added Y. There are tons of ways to configure something and not all are correct.

Are there any Kerberos/auth/SPNEGO related messages in jmeter.log? What are the headers looking like in the request/responses?

I often stumble upon configuring the wrong paths for krb5.conf or jaas.conf, especially when using relative paths.

If there are not enough log messages to help me, I try to tell Java to give me more. Try to add 'debug = true' to jaas.conf and/or |add -Dsun.security.krb5.debug=true to the environment variable JVM_ARGS.|

Felix

> I have also enabled the Kerberos for the browser and able to record the scenarios  but getting as SPNEGO authentication not supported in the recorded response code.
>
> Please help me with the steps to set up Jmeter for Kerberos
> authentication and suggestions to resolve the issue. ||
>
>
> Regards,
> Akhilekhya Avantsa,
> Test Analyst,
> Infosys Ltd, India
> +91 8639828304.
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Jmeter Logs for KerberosSpnego Issue.zip (374K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos/Spnego authentication Issues

Felix Schumacher

Am 18.11.20 um 14:49 schrieb Akhilekhya Avantsa:
> Hi Felix,
>
> Thank you for the prompt response.
>
> I have recorded a script for launching the SSO application of type Kerberos/Spnego authentication.(automatically logins when the application is launched) and captured the logs for the same.
>
> Attached folder contains the JMeter log file, logs captured while recording , the properties and configuration files I modified and the error screenshots.
>
> Please validate and suggest me if any changes required to achieve successful Kerberos authentication for the script.

The jmeter.log file seems to be the one, that was written when
recording. That is not so interesting to me :)

The file 'Logs captured while recording the script.txt' seems to be the
file, that contains the logs from the actual run and not the recording.
In that file, you will find some lines like:

Caused by: java.lang.SecurityException: java.io.IOException: jaas.conf
(No such file or directory)

and that indicates to me, that you should either put a absolute filename
to point to your jaas.conf or start JMeter from the correct directory
(the one, which contains jaas.conf (or the other way round, if you prefer)).

Another problematic line from the log is:

2020-11-18 18:48:17,727 WARN o.a.j.p.h.c.KerberosManager: Execution of
getting subject for ${AUTH_LOGIN} failed

That indicates, that JMeter could not find a valid JMeter variable named
AUTH_LOGIN. In such cases, JMeter will return the original value of the
expression, which was ${AUTH_LOGIN}.

The screenshot of the response-headers show, that your server is
returning the correct header to initiate the SPNEGO authentication, but
first you have to correct the two things about jaas.conf and AUTH_LOGIN.

Felix

>
> Thanks & Regards,
> Akhilekhya Avantsa,
> Test Analyst,
> Infosys Ltd, India
> +91 8639828304.
>
> -----Original Message-----
> From: Felix Schumacher <[hidden email]>
> Sent: Wednesday, November 18, 2020 4:06 PM
> To: [hidden email]
> Subject: Re: Kerberos/Spnego authentication Issues
>
> [**EXTERNAL EMAIL**]
>
> Am 17.11.20 um 20:23 schrieb Akhilekhya Avantsa:
>> Hi Team,
>>
>> I am facing 401 unauthorized error for Kerberos authentication (spnego) using JMeter.
>>
>> For JMeter Kerberos setup - I have configured krb5.conf, jaas.conf and system properties of Jmeter. Also added domain and realm to the HTTP Authorization Manager yet getting  authentication issues.
> Can you give us more details? Always remember, we can't see you setup and have to guess what you mean by configured X or added Y. There are tons of ways to configure something and not all are correct.
>
> Are there any Kerberos/auth/SPNEGO related messages in jmeter.log? What are the headers looking like in the request/responses?
>
> I often stumble upon configuring the wrong paths for krb5.conf or jaas.conf, especially when using relative paths.
>
> If there are not enough log messages to help me, I try to tell Java to give me more. Try to add 'debug = true' to jaas.conf and/or |add -Dsun.security.krb5.debug=true to the environment variable JVM_ARGS.|
>
> Felix
>
>> I have also enabled the Kerberos for the browser and able to record the scenarios  but getting as SPNEGO authentication not supported in the recorded response code.
>>
>> Please help me with the steps to set up Jmeter for Kerberos
>> authentication and suggestions to resolve the issue. ||
>>
>>
>> Regards,
>> Akhilekhya Avantsa,
>> Test Analyst,
>> Infosys Ltd, India
>> +91 8639828304.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Kerberos/Spnego authentication Issues

Akhilekhya Avantsa-2
Hi Felix,

Thanks for your reply. I was able to resolve below errors occurred in previous log file with the work arounds you mentioned.

But currently, I could see an error in log file as below. Attached is the detailed log file capture during script reply

2020-11-23 16:59:05,391 WARN o.a.j.p.h.c.KerberosManager: Could not log in user iqxja64 -->(username)
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)

Please let me know if I need to configure anything in properties file or kerberos config files. Is any login configuration file or the prinicipal name to be added?

Regards,
Akhilekhya Avantsa,
Test Analyst,
Infosys Ltd, India
 +91 8639828304.

-----Original Message-----
From: Felix Schumacher <[hidden email]>
Sent: Wednesday, November 18, 2020 8:00 PM
To: [hidden email]
Subject: Re: Kerberos/Spnego authentication Issues

[**EXTERNAL EMAIL**]

Am 18.11.20 um 14:49 schrieb Akhilekhya Avantsa:
> Hi Felix,
>
> Thank you for the prompt response.
>
> I have recorded a script for launching the SSO application of type Kerberos/Spnego authentication.(automatically logins when the application is launched) and captured the logs for the same.
>
> Attached folder contains the JMeter log file, logs captured while recording , the properties and configuration files I modified and the error screenshots.
>
> Please validate and suggest me if any changes required to achieve successful Kerberos authentication for the script.

The jmeter.log file seems to be the one, that was written when recording. That is not so interesting to me :)

The file 'Logs captured while recording the script.txt' seems to be the file, that contains the logs from the actual run and not the recording.
In that file, you will find some lines like:

Caused by: java.lang.SecurityException: java.io.IOException: jaas.conf (No such file or directory)

and that indicates to me, that you should either put a absolute filename to point to your jaas.conf or start JMeter from the correct directory (the one, which contains jaas.conf (or the other way round, if you prefer)).

Another problematic line from the log is:

2020-11-18 18:48:17,727 WARN o.a.j.p.h.c.KerberosManager: Execution of getting subject for ${AUTH_LOGIN} failed

That indicates, that JMeter could not find a valid JMeter variable named AUTH_LOGIN. In such cases, JMeter will return the original value of the expression, which was ${AUTH_LOGIN}.

The screenshot of the response-headers show, that your server is returning the correct header to initiate the SPNEGO authentication, but first you have to correct the two things about jaas.conf and AUTH_LOGIN.

Felix

>
> Thanks & Regards,
> Akhilekhya Avantsa,
> Test Analyst,
> Infosys Ltd, India
> +91 8639828304.
>
> -----Original Message-----
> From: Felix Schumacher <[hidden email]>
> Sent: Wednesday, November 18, 2020 4:06 PM
> To: [hidden email]
> Subject: Re: Kerberos/Spnego authentication Issues
>
> [**EXTERNAL EMAIL**]
>
> Am 17.11.20 um 20:23 schrieb Akhilekhya Avantsa:
>> Hi Team,
>>
>> I am facing 401 unauthorized error for Kerberos authentication (spnego) using JMeter.
>>
>> For JMeter Kerberos setup - I have configured krb5.conf, jaas.conf and system properties of Jmeter. Also added domain and realm to the HTTP Authorization Manager yet getting  authentication issues.
> Can you give us more details? Always remember, we can't see you setup and have to guess what you mean by configured X or added Y. There are tons of ways to configure something and not all are correct.
>
> Are there any Kerberos/auth/SPNEGO related messages in jmeter.log? What are the headers looking like in the request/responses?
>
> I often stumble upon configuring the wrong paths for krb5.conf or jaas.conf, especially when using relative paths.
>
> If there are not enough log messages to help me, I try to tell Java to
> give me more. Try to add 'debug = true' to jaas.conf and/or |add
> -Dsun.security.krb5.debug=true to the environment variable JVM_ARGS.|
>
> Felix
>
>> I have also enabled the Kerberos for the browser and able to record the scenarios  but getting as SPNEGO authentication not supported in the recorded response code.
>>
>> Please help me with the steps to set up Jmeter for Kerberos
>> authentication and suggestions to resolve the issue. ||
>>
>>
>> Regards,
>> Akhilekhya Avantsa,
>> Test Analyst,
>> Infosys Ltd, India
>> +91 8639828304.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Kerberos SSO issue-JmeterLogFile.txt (33K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos/Spnego authentication Issues

Felix Schumacher

Am 23.11.20 um 14:25 schrieb Akhilekhya Avantsa:
> Hi Felix,
>
> Thanks for your reply. I was able to resolve below errors occurred in previous log file with the work arounds you mentioned.
>
> But currently, I could see an error in log file as below. Attached is the detailed log file capture during script reply
>
> 2020-11-23 16:59:05,391 WARN o.a.j.p.h.c.KerberosManager: Could not log in user iqxja64 -->(username)
> javax.security.auth.login.LoginException: Client not found in Kerberos database (6)

Have you checked, that iqxja64 is a valid user (and has the password you
use) in the domain of your choosing?

If your user (iqxja64) is not in the default domain you specified in
HTTP Authorization Manager, you could try to specify a user with a
domain added, for example [hidden email]

As you used a variable for the user in the authorization manager, you
could add the @MY.DOMAIN.INVALID to the field where you used
"${AUTH_USER}", that is "${AUTH_USER}@MY.DOMAIN.INVALID".

If you enabled debug logs for kerberos, as I described before, you
should get more log messages (may be on STDOUT, only).

Felix

>
> Please let me know if I need to configure anything in properties file or kerberos config files. Is any login configuration file or the prinicipal name to be added?
>
> Regards,
> Akhilekhya Avantsa,
> Test Analyst,
> Infosys Ltd, India
>  +91 8639828304.
>
> -----Original Message-----
> From: Felix Schumacher <[hidden email]>
> Sent: Wednesday, November 18, 2020 8:00 PM
> To: [hidden email]
> Subject: Re: Kerberos/Spnego authentication Issues
>
> [**EXTERNAL EMAIL**]
>
> Am 18.11.20 um 14:49 schrieb Akhilekhya Avantsa:
>> Hi Felix,
>>
>> Thank you for the prompt response.
>>
>> I have recorded a script for launching the SSO application of type Kerberos/Spnego authentication.(automatically logins when the application is launched) and captured the logs for the same.
>>
>> Attached folder contains the JMeter log file, logs captured while recording , the properties and configuration files I modified and the error screenshots.
>>
>> Please validate and suggest me if any changes required to achieve successful Kerberos authentication for the script.
> The jmeter.log file seems to be the one, that was written when recording. That is not so interesting to me :)
>
> The file 'Logs captured while recording the script.txt' seems to be the file, that contains the logs from the actual run and not the recording.
> In that file, you will find some lines like:
>
> Caused by: java.lang.SecurityException: java.io.IOException: jaas.conf (No such file or directory)
>
> and that indicates to me, that you should either put a absolute filename to point to your jaas.conf or start JMeter from the correct directory (the one, which contains jaas.conf (or the other way round, if you prefer)).
>
> Another problematic line from the log is:
>
> 2020-11-18 18:48:17,727 WARN o.a.j.p.h.c.KerberosManager: Execution of getting subject for ${AUTH_LOGIN} failed
>
> That indicates, that JMeter could not find a valid JMeter variable named AUTH_LOGIN. In such cases, JMeter will return the original value of the expression, which was ${AUTH_LOGIN}.
>
> The screenshot of the response-headers show, that your server is returning the correct header to initiate the SPNEGO authentication, but first you have to correct the two things about jaas.conf and AUTH_LOGIN.
>
> Felix
>
>> Thanks & Regards,
>> Akhilekhya Avantsa,
>> Test Analyst,
>> Infosys Ltd, India
>> +91 8639828304.
>>
>> -----Original Message-----
>> From: Felix Schumacher <[hidden email]>
>> Sent: Wednesday, November 18, 2020 4:06 PM
>> To: [hidden email]
>> Subject: Re: Kerberos/Spnego authentication Issues
>>
>> [**EXTERNAL EMAIL**]
>>
>> Am 17.11.20 um 20:23 schrieb Akhilekhya Avantsa:
>>> Hi Team,
>>>
>>> I am facing 401 unauthorized error for Kerberos authentication (spnego) using JMeter.
>>>
>>> For JMeter Kerberos setup - I have configured krb5.conf, jaas.conf and system properties of Jmeter. Also added domain and realm to the HTTP Authorization Manager yet getting  authentication issues.
>> Can you give us more details? Always remember, we can't see you setup and have to guess what you mean by configured X or added Y. There are tons of ways to configure something and not all are correct.
>>
>> Are there any Kerberos/auth/SPNEGO related messages in jmeter.log? What are the headers looking like in the request/responses?
>>
>> I often stumble upon configuring the wrong paths for krb5.conf or jaas.conf, especially when using relative paths.
>>
>> If there are not enough log messages to help me, I try to tell Java to
>> give me more. Try to add 'debug = true' to jaas.conf and/or |add
>> -Dsun.security.krb5.debug=true to the environment variable JVM_ARGS.|
>>
>> Felix
>>
>>> I have also enabled the Kerberos for the browser and able to record the scenarios  but getting as SPNEGO authentication not supported in the recorded response code.
>>>
>>> Please help me with the steps to set up Jmeter for Kerberos
>>> authentication and suggestions to resolve the issue. ||
>>>
>>>
>>> Regards,
>>> Akhilekhya Avantsa,
>>> Test Analyst,
>>> Infosys Ltd, India
>>> +91 8639828304.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]