Re: "Authentication required" message keeps popping up during script recording

Hi Felix,

Can you please let me know if you have a solution for this issue?

Well, I have no direct solution for you, as I don't know enough about your setup. But I have tried to simulate a NTLM server that is reached through JMeter as a proxy.

For that I setup the test plan that I attached. It was set up with the template "Recording with think time" and I added a mirror server element to the thread group. Both the mirror server and the proxy server need to be started. The proxy will listen on port 8888 and the mirror server on port 8081.

Now to simulate a NTLM authenticating server I use the features of the mirror server, where you can specify the response headers in the request headers using X-SetHeaders and X-SetResponseStatus and generated the request using curl (under linux):

 $ http_proxy=http://localhost:8888 curl --ntlm -u user:password -D - -H "X-SetHeaders: something: strange|www-authenticate: Negotiate" -H "X-SetResponseStatus: 401" localhost:8081
HTTP/1.0 200 OK
Content-Type: text/plain
something: strange
www-authenticate: Negotiate

GET / HTTP/1.1
Connection: close
Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
X-SetResponseStatus: 401
Host: localhost:8081
User-Agent: curl/7.68.0
Accept: */*
X-SetHeaders: something: strange|www-authenticate: Negotiate

As you can see (besides the strange header and the munged headers), the client got the www-authenticate header and responded with an authorization header. Inside JMeter you can find the requests both in the View Results Tree and the recording controller. In the test plan JMeter should have added a HTTP authorization manager with an entry for the server.

I suggest you try to setup this simple test for yourself and see, if you can find all the requests that were made during the recording. After that, I would repeat the more complex setup you are trying and try to find differences in the recorded samples.

Felix

Thanks

Sastry

On Wed, Sep 9, 2020 at 2:42 PM SAS <[hidden email]> wrote:

here are response headers:

HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: NTLM 

{deleted encoded data}
Date: Wed, 09 Sep 2020 18:38:29 GMT
Connection: close
Content-Length: 341

On Wed, Sep 9, 2020 at 12:42 PM Felix Schumacher <[hidden email]> wrote:

Am 09.09.20 um 16:35 schrieb SAS:
> *Here are request headers: I have deleted the value of authorization for
> security reasons.*
>
> Connection: close
> Authorization: NTLM {Deleted the value here}
This is good, as it shows, that the client has sent some credentials.
> Accept-Language: en-US,en;q=0.5
> Host: corportaluat.corp.xxxxxx.com
> Upgrade-Insecure-Requests: 1
> Accept-Encoding: gzip, deflate, br
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0)
> Gecko/20100101 Firefox/68.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>
> *Here are response headers:*

But the below lines are not the response headers. That was the response
data.

Do you have access to the server you are contacting? It might be easier
to look for the headers there (or the absence).

If you don't have access, or it is not possible to look at the headers
there, you can try to start JMeter with the java option
*-Djavax.net.debug=all*

I think it will log into the console. It should print out all network
traffic, that is routed through JMeter, so it might be quite a lot. Have
a look for the headers there, too.

Note, I haven't tried NTLM authentication together with the proxy
feature. I think it should work, but I can't tell for sure.
**

Felix

>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""
> http://www.w3.org/TR/html4/strict.dtd">
> <HTML><HEAD><TITLE>Not Authorized</TITLE>
> <META HTTP-EQUIV="Content-Type" Content="text/html;
> charset=us-ascii"></HEAD>
> <BODY><h2>Not Authorized</h2>
> <hr><p>HTTP Error 401. The requested resource requires user
> authentication.</p>
> </BODY></HTML>
>
> I am giving valid credentials and still it says, not authorized.
>
>
> On Wed, Sep 9, 2020 at 9:50 AM Felix Schumacher <
> [hidden email]> wrote:
>
>> Am 09.09.20 um 14:58 schrieb SAS:
>>> I am not creating manual HTTP requests to add authentication manually.
>>>
>>> The issue I am facing is happening during the recording process.
>> shouldn't
>>> the tool automatically detect the authentication and pass through this
>>> step?
>> JMeter acts as a proxy and doesn't care about the authentication
>> mechanism of the website you are using.
>>
>> To help you here, we probably need more information on the headers, that
>> your client sends and that the webserver is replying with. If you
>> started your test plan (and the proxy) from the template "Recording with
>> think time" (which I recommend), than you will find all the requests in
>> the View Results Tree element under the HTTP(s) Test Script Recorder.
>>
>> Have a look at the headers and if you can, show them to us. Most
>> interesting will be the headers that are named Authorization and
>> WWW-Authenticate.
>>
>> Note, that the value of the Authorization header includes your
>> credentials, so replace them with something safe.
>>
>> Also note, that JMeter will not extract your credentials from the
>> headers. You have to insert those into the test plan by hand after the
>> recording has finished. But I understood that this is not your problem.
>>
>> Felix
>>
>>> Thanks,
>>> Sastry
>>>
>>> On Wed, Sep 9, 2020 at 1:06 AM Amit Dhumal <[hidden email]>
>> wrote:
>>>> Please verify the type of authentication in HTTP request header. In
>> case of
>>>> NTLM authentication please follow steps as per:
>>>> https://www.blazemeter.com/blog/windows-authentication-apache-jmeter
>>>>
>>>> On Wed, Sep 9, 2020 at 9:18 AM SAS <[hidden email]> wrote:
>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I am trying to record the script using JMeter for a web application
>>>> that
>>>>>> has windows authentication enabled.  I have setup a proxy in Firefox
>>>> for
>>>>>> recording purposes.
>>>>>>
>>>>>> However, when I tried recording the script, "Authentication required"
>>>>>> message kept popping up even after I provided valid credentials.  If I
>>>>> hit
>>>>>> cancel on the popup message, I see the "401 Unauthorized" message.
>>>>>>
>>>>>> Please note, it happens only during recording.  I am able to
>>>> successfully
>>>>>> login to the website when I was not recording.
>>>>>>
>>>>>> Please let me know how we can resolve this-
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>> SASTRY
>>>>>>
>>>> --
>>>> Thanks & Regards,
>>>> Amit Dhumal
>>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>

--

Thanks

SASTRY

--

Thanks

SASTRY

proxy-auth.jmx (12K) Download Attachment