On Fri, Jan 16, 2015 at 12:59 PM, Felix Schumacher
<[email protected]> wrote:
Am 16.01.2015 10:49, schrieb Martijn de Vrieze:
Hey Felix,
thanks for the help so far :)
BTW, does it make a difference that I am working from a 64b Linux
box?
Although when within the domain, on a windows (citrix) box I get the
same
errors.
I do my testing from linux, so I am sure, that linux works.
I started off initially trying it over 88, which gives the exact
same
time-out.
Then maybe not only the port is wrong, but the dns name also? The kdc
is not the website server you are trying to connect to, but the key
distribution center, that is the kerberos server.
When I asked the implementation partner they claimed it should just
run
over 443, but than again, what do they know :)
If they tell you it is 443, they probably mean the webserver, which
is most likely not the kdc.
One thing I have noticed so far, is that the request headers contain
nothing towards auth types:
That is OK, since you have no TGT or service ticket and if it is the
first request no knowlegde, that the server is willing to speak SPNEGO.
Request Headers:
Connection: keep-alive
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1;
WOW64;
Trident/6.0)
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Pragma: no-cache
Cache-Control: no-cache
Host: tst-crm20.veh.nl
Whereas the response header does tell me the www-auth => negotiate
Thread Name: Jmeter 1-1
Sample Start: 2015-01-16 10:36:01 CET
Load time: 90209
Latency: 90208
Size in bytes: 485
Headers size in bytes: 425
Body size in bytes: 60
Sample Count: 1
Error Count: 1
Response code: 401
Response message: Unauthorized
Response headers:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/plain
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
REQ_ID: e73cba80-97e4-4444-a201-a50ab6957a31
Set-Cookie: ReqClientId=51c362af-23e0-4dad-a299-10e6bf67c310;
expires=Fri,
16-Jan-2065 09:37:31 GMT; path=/; secure; HttpOnly
WWW-Authenticate: Negotiate
This is good, as it means that the server is willing to speak SPNEGO
with you.
X-Powered-By: ASP.NET
Date: Fri, 16 Jan 2015 09:37:31 GMT
HTTPSampleResult fields:
ContentType: text/plain
DataEncoding: null
Also, Tried connecting straight through Java and that worked like a
charm.
Code is somewhat like this:
public class NTLM_ping {
public NTLM_ping(){
super();
}
public static void main(String[]args) throws Exception {
DefaultHttpClient httpClient = new DefaultHttpClient();
httpClient.getAuthSchemes().register("ntlm",new
NTLMSchemeFactory());
That is great, but you are not using kerberos here.
This is NTLM, which you could use with jmeter, too. I believe you
have to fill in the domain and
realm columns and use BASIC_DIGEST instead of Kerberos.
But keep in mind, that kerberos is cooler and probably more secure.
// add credentials
httpClient.getCredentialsProvider().setCredentials(
new AuthScope("TEST", -1),
new
NTCredentials("m.devrieze","PassWord","tst-crm20.test.nl
","TEST"));
HttpGet httpGet = new HttpGet("http://tst-crm20.test.nl";);
// ignore cookies
/*httpGet.getParams().setParameter("http.protocol.cookie-policy",
CookiePolicy.ACCEPT_ALL);
*/
try{
// execute the GET
HttpResponse status = httpClient.execute(httpGet);
System.out.println(status.getProtocolVersion());
System.out.println(status.getStatusLine().getStatusCode());
System.out.println(status.getStatusLine().getReasonPhrase());
System.out.println(status.getStatusLine().toString());
}finally {
// release any sources
}
And by the way, could you stop answering in top-post style?
Regards
Felix
On Fri, Jan 16, 2015 at 10:21 AM, Felix Schumacher <
[email protected]> wrote:
Am 16.01.2015 09:58, schrieb Martijn de Vrieze:
krb5.conf
[libdefaults]
default_realm = TEST.NL
default_tkt_enctypes =
aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes =
aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
TEST.NL = {
kdc = tst-crm20.test.nl:443
This is a strange port for a kdc. I would expect it to listen on
88.
}
[domain_realm]
test.nl= TEST.NL
.test.nl= TEST.NL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
jaas.conf
JMeter {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=false
useKeyTab=false
storeKey=false;
};
On rerunning I recieved the following error (which I have not seen
before:
2015/01/16 09:57:52 WARN -
org.apache.http.client.protocol.RequestTargetAuthentication:
NEGOTIATE
authentication error: No valid credentials provided (Mechanism
level: No
valid credentials provided (Mechanism level: Failed to find any
Kerberos
tgt))
That is probably because you don't connect to the right port and
noone
responds to you. Try another kdc port.
Regards
Felix
*Martijn de Vrieze*
Phone: +31618707784 | Skype: martijndevrieze | gtalk:
[email protected] | Twitter:
http://www.twitter.com/martijndevrieze | Linkedin:
http://www.linkedin.com/in/martijndevrieze | Home:
http://www.martijndevrieze.nl
On Fri, Jan 16, 2015 at 9:01 AM, Felix Schumacher <
[email protected]> wrote:
Am 15.01.2015 22:48, schrieb Martijn de Vrieze:
I have been struggling somewhat with JMeter and kerberos lately.
Google
so
far has not been able to help me out with the issue I am facing.
The system under test is a Microsoft CRM 2013 platform, up until
a few
days
ago my tests worked fine since basic auth was switched on.
However on
the
most recent drop with changes they also switched over to
kerberos auth
only.
I have:
* filled in the KRB5.CONF with all relevant information
* HTTP AUTH Manager in the script with base URL, username,
password,
domain and KERBEROS filled in
* HTTP Request defaults to ensure and enforce HTTP4 use, HTTPS
over port
443 and the same base URL all over the place
However I cannot get it to work properly, logging in simply
refuses to
work
for me. I'd really appreciate some help here, I use Jmeter
fairly often,
with this I am however completely stuck.
When running the first step, which instantly receives the
KERBEROS ath
request I get the following in my logs:
2015/01/15 17:13:02 INFO - jmeter.threads.JMeterThread: Thread
started:
Jmeter 1-1
2015/01/15 17:13:02 INFO - jmeter.services.FileServer: Stored:
users.csv
2015/01/15 17:13:02 DEBUG -
jmeter.protocol.http.control.CacheManager:
GET(OAH) http://tst-crm20.test.nl/TEST/main.aspx null
2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.
HC4CookieHandler:
Found 0 cookies for http://tst-crm20.test.nl/TEST/main.aspx
2015/01/15 17:13:02 DEBUG -
jmeter.protocol.http.control.CacheManager:
inCache http://tst-crm20.test.nl/TEST/main.aspx null
2015/01/15 17:13:02 DEBUG -
jmeter.protocol.http.control.AuthManager:
Target URL strings to match against:
http://tst-crm20.test.nl/TEST/
main.aspx
and http://tst-crm20.test.nl:80/TEST/main.aspx
<http://tst-crm20.test.nl/TEST/main.aspx>
2015/01/15 17:13:02 DEBUG -
jmeter.protocol.http.control.AuthManager:
Checking match against auth'n entry: http://tst-crm20.test.nl
2015/01/15 17:13:02 DEBUG -
jmeter.protocol.http.control.AuthManager:
Matched
2015/01/15 17:13:02 DEBUG -
jmeter.protocol.http.control.AuthManager:
Target URL strings to match against:
http://tst-crm20.test.nl/TEST/
main.aspx
and http://tst-crm20.test.nl:80/TEST/main.aspx
<http://tst-crm20.test.nl/TEST/main.aspx>
2015/01/15 17:13:02 DEBUG -
jmeter.protocol.http.control.AuthManager:
Checking match against auth'n entry: http://tst-crm20.test.nl
2015/01/15 17:13:02 DEBUG -
jmeter.protocol.http.control.AuthManager:
Matched
2015/01/15 17:13:02 DEBUG -
jmeter.protocol.http.control.AuthManager:
m.devrieze > D=TEST R= M=KERBEROS
2015/01/15 17:13:02 DEBUG -
jmeter.protocol.http.control.CacheManager:
GET(OAH) http://tst-crm20.test.nl/TEST/main.aspx null
2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.
HC4CookieHandler:
Found 0 cookies for http://tst-crm20.test.nl/TEST/main.aspx
2015/01/15 17:13:02 DEBUG -
jmeter.protocol.http.control.CacheManager:
inCache http://tst-crm20.test.nl/TEST/main.aspx null
2015/01/15 17:13:02 DEBUG -
jmeter.protocol.http.control.AuthManager:
Target URL strings to match against:
http://tst-crm20.test.nl/TEST/
main.aspx
and http://tst-crm20.test.nl:80/TEST/main.aspx
<http://tst-crm20.test.nl/TEST/main.aspx>
2015/01/15 17:13:02 DEBUG -
jmeter.protocol.http.control.AuthManager:
Checking match against auth'n entry: http://tst-crm20.test.nl
2015/01/15 17:13:02 DEBUG -
jmeter.protocol.http.control.AuthManager:
Matched
2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.
KerberosManager:
Subject cached:[] before:m.devrieze
2015/01/15 17:14:32 WARN - jmeter.protocol.http.control.
KerberosManager:
Could not log in user m.devrieze javax.security.auth.login.
LoginException:
Receive timed out
It seems, that the kerberos server did not answer the request
for a
service ticket (at least not within the default timeout of 30s).
Could you rerun the test with the java system property
"sun.security.krb5.debug" set to true?
Could you post the contents of your krb5.conf and jaas.conf file?
Regards
Felix
*Thanks! *
*Martijn de Vrieze*
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
