Performance Testing SPNEGO or Kerberos with LoadRunner
Alas, it can't be done in JMeter. So this is how it works in LoadRunner ...
This challenge came up recently and we were able to figure out how to test SPNEGO or Kerberos using Integrated Windows Authentication with LoadRunner.
To test this I built a VM with Win2K3, an AD domain and IIS6. To enforce kerberos only authentication I modified IIS as per the following:
I didn't have WebSEAL (which is what I was ultimately trying to simulate) but I believe this is reasonably close, to quote:
Integrated Windows authentication uses Kerberos v5 authentication and NTLM authentication. Kerberos is an industry-standard authentication protocol that is used to verify user or host identity. If Active Directory is installed on a domain controller running Windows 2000 Server or Windows Server 2003, and the client browser supports the Kerberos v5 authentication protocol, Kerberos v5 authentication is used; otherwise, NTLM authentication is used.
So to log on to my test page I needed to provide domain credentials in IE. I also made sure my client IE enforces IWA as per the following:
If I don't provide my domain credentials (in this case: smallbusiness\fred) then I get knocked back with a 401 as expected.
On generation of my LR script the first response is a 401.2. It then does a second request with the authorization header i.e.
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==
The response header to this tells me to authenticate i.e.
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAGgAaADgAAAAFgomir1xcxf5zo2MAAAAAAAAAAOIA4gBSAAAABQLODgAAAA9TAE0AQQBMAEwAQgBVAFMASQBOAEUAUwBTAAIAGgBTAE0AQQBMAEwAQgBVAFMASQBOAEUAUwBTAAEAHgBLAE8ATwBQAFMALQA5ADYAWABZADIAVwBEAFUANgAEACYAcwBtAGEAbABsAGIAdQBzAGkAbgBlAHMAcwAuAGwAbwBjAGEAbAADAEYAawBvAG8AcABzAC0AOQA2AHgAeQAyAHcAZAB1ADYALgBzAG0AYQBsAGwAYgB1AHMAaQBuAGUAcwBzAC4AbABvAGMAYQBsAAUAJgBzAG0AYQBsAGwAYgB1AHMAaQBuAGUAcwBzAC4AbABvAGMAYQBsAAAAAAA=
The next request authorizes presumably with the correct token i.e.
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAIgAAAAYABgAoAAAABoAGgBIAAAACAAIAGIAAAAeAB4AagAAAAAAAAC4AAAABYKIogUCzg4AAAAPcwBtAGEAbABsAGIAdQBzAGkAbgBlAHMAcwBmAHIAZQBkAEsATwBPAFAAUwAtADkANgBYAFkAMgBXAEQAVQA2AB15bTxE3i63AAAAAAAAAAAAAAAAAAAAALQ6IC82wYIBXpniDchRG9zSW8/bC4891w==
From which the response is gravy, and my homepage loads.
So the recording process looks like it went through the necessary authentication steps.
Now in my LR script Action() I can set the domain credentials dynamically with web_set_user (hence emulate multiple users) i.e.
web_set_user("smallbusiness\\fred","********", "smallbusiness.local:80");
Then follow with a web_url request to the server i.e.
web_url("smallbusiness.local", "URL=http://smallbusiness.local/", "Resource=0", "RecContentType=text/html", "Referer=", "Snapshot=t1.inf", "Mode=HTML", LAST);
Play that back and it fails. (Assuming WebSEAL will reject NTLM which in this case my test rig won't, but I can make that assumption...)
Now change a couple of runtime settings:
Internet Protocol->Preferences->Options->Authentication->Enable Integrated Authentication
This makes sure that when the server asks for authentication via the first 401.2/1, that SPNEGO/Negotiate/Kerberos is tried *first* before any other protocol (like NTLM)
You also need to change:
Internet Protocol->Preferences->Advanced->WinInet [checked]:
This instructs VuGen to use the WinInet replay engine instead of the standard Sockets replay. VuGen has two HTTP replay engines: Sockets-based (default) or WinInet based. The WinInet is the engine used by Internet Explorer and it supports all of the features incorporated into the IE browser. I think this *better* emulates the IE client settings for IWA ...
And re-run the script. I now get past the authentication using Kerberos and successfully load my home page... This can be repeated for WebSEAL provided you first do a web_set_user (so it knows what domain credentials to use) which effectively lets you run the test with multiple users... Great for testing those WebSEAL/SPNEGO/Kerberos single sign on solutions... 
November 22nd, 2008 - 13:15
Remember, if you’re going to be testing via HTTPS then make sure you change the port number in your
web_set_user call!
web_set_user("smallbusiness\\fred","********", "smallbusiness.local:443");
December 28th, 2008 - 13:25
thank you very much for the details. we have Web-click and script protocol used and SSO is not working. do you have any solution for that.
But thank you very much for the details you provided and i tried the concept you mention and it works for HTTP/HTML protocol but not with web click and script protocol, i will be very thankful if you could provide any details in regards to that.
regards,
Ibrahim.
January 12th, 2009 - 15:24
Hi, this is a very informative narration of the SSO testing… How do I enable IP Spoofing with SSO (SPNEGO). WinInet and IP Spoofing don’t work together… Any Solution for this …..
Thanks,
Raj
February 4th, 2009 - 04:56
You are a god.
April 8th, 2009 - 06:08
Hi,
Thanks for the information you provided, it worked for me when i record the script thru web http/html, but the app i am loadtesting has some java ajax calls, so i need to use Ajax(click and script), i followed the same steps which provided for http/html but the script failed to reply.
I would appreciate if you could provide the solution.
Thanks in Advance..
Harry
April 17th, 2009 - 16:14
Hi guys, I’ve provide improved instructions here
http://90kts.com/blog/2009/improved-spnego-or-kerberos-support-with-loadrunner/
This should help you out, particularly if WinInet was causing you dramas…
Enjoy