Previously I identified a way in which to test SPNEGO or Kerberos authentication with LoadRunner. However this implementation was buggy in the sense that if you ran your load tests under reasonable load with the WinInet replay engine (instead of sockets) you were likely to encounter the following error:
Error -27492: "HttpSendRequest" failed, Windows error code=12057 (certificate revoked) and retry limit (0) exceeded for URL="
https://someplacesecure.com.au/secure.html", Snapshot Info [MSH 1 2]
This error occurs when using WinInet replay instead of sockets with Integrated Authentication enabled in run-time settings. The purpose of this was to allow vusers to use SSO with SPNEGO authentication in an IBM WebSEAL environment.
After spending some time with the mystical HP level 3 support, they identified an undocumented flag which helps out significantly in this. So, instead of using the WinInet replay engine (which is not encouraged by HP) you should do something similar to the following.
vuser_init() { // Preferred run-time settings // Browser -> Browser Emulation // [ ] Simulate a new user on each iteration // Preferences -> Options // Enable Integration Authentication [Yes] web_set_sockets_option("INITIAL_BASIC_AUTH","1"); web_set_user("DOMAIN.LOCAL\\username", "password", "someplacesecure.com.au:443"); web_url("myportal", "URL=https://someplacesecure.com.au/wps", "Resource=0", "Referer=", "Mode=HTML", LAST); return 0; }
The magic is in the web_set_sockets_option("INITIAL_BASIC_AUTH","1") flag. Set that and you can then use LoadRunner in Sockets mode which as it turns out, is much more stable.
Enjoy.
PS. You will also need a file called krb5.ini available in your system path i.e. C:\windows
It should look something like this:
[libdefaults]
default_realm = DOMAIN.LOCAL
default_keytab_name = FILE:c:\winnt\krb5.keytab
default_tkt_enctypes = des-cbc-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 rc4-hmac
[realms]
dc01.domain.local = {
kdc = dc01.domain.local
default_domain = domain.local
}
[domain_realm]
.domain.local = dc01.domain.local
I tried using the statement you specified and it resulted in script failures. I also noticed that INITIAL_BASIC_AUTH is not listed as avaialble argument for web_set_sockets_option function. Did HP provide you with any custom dlls?
No additional dll’s were provided. We’re using LR version 9. What version are you on? Also there is no documentation for that sockets option.
Regards,
Tim
The documentation for web_set_sockets_option is present in LR9.5. But the first argument I cudn’t find there. I have tried all the options suggested, by my scripts won’t run. The error I get is “Kerberos can not recognize hostname”
Here is the error detail:
Action.c(235): Error -26630: HTTP Status-Code=401 (Unauthorized) for
“http://*******.com:8001/XXX//xxx/amf” [MsgId: MERR-26630]
Action.c(235): t=7169ms: Closing connection to server *******.com -
server indicated that the connection should be closed [MsgId:
MMSG-26000]
Action.c(235): t=7170ms: Closed connection to ********.com:8001 after
completing 1 request [MsgId: MMSG-26000]
Error -26000: An invalid name was supplied
Configuration file does not specify default realm
[initialize_name] [MsgId: MERR-26000]
Action.c(235): Error -27712: Kerberos can not recognize hostname An
invalid name was supplied
Configuration file does not specify default realm
[initialize_name]. [MsgId: MERR-27712]
Action.c(235): t=7192ms: Request done “http://**********.com:8001/XXX//
xxx/amf” [MsgId: MMSG-26000]
Action.c(235): flex_web_request(“amf”) highest severity level was
“ERROR”, 1518 body bytes, 167 header bytes [MsgId: MMSG-26388]
Ending action Action.
My browser also has “enable Integrated Authentication checked”
I dont have access to the krb5.ini file. Is this error due to the ini file? Can u help?
Yes you will need to create a kerberos ini file. See my first comment in this post. Create it and store it somewhere accessible in your default path.
Regards,
Tim
Hi Tim, I’m also facing the same problem for one of the application which I’m working. I’ve created the krb5.ini file and saved under c:\WINDOWS. But don’t know how to create keytab file. Could you please give me some tips how to create the keytab file.
Thanks in advance.
Regards
Karan
In the end I didn’t have a keytab file. Can you post the error here?
Hi Tim, Thanks a lot for your help.
Here are the details. currently we are using 9.5 version.
———-
Script
web_set_sockets_option(“INITIAL_BASIC_AUTH”,”1″);
web_set_user(“yyyy\\userid”, “pwd”, “app.com:80″);
web_url(“HomePage”,
“URL=http://app.com/”,
“TargetFrame=”,
“Resource=0″,
“RecContentType=text/html”,
“Referer=”,
“Snapshot=t1.inf”,
“Mode=HTML”,
LAST);
———————–
————-
Error message
Action.c(27): Continuing after Error -27734: Internal Error – can’t get initial credentials for username/password rmatte/Merrill1009 [MsgId: MERR-27734]
—————–
————-
Krb5.ini
[libdefaults]
default_realm = DOMAIN.LOCAL
default_keytab_name = FILE:c:\winnt\krb5.keytab
default_tkt_enctypes = des-cbc-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 rc4-hmac
[realms]
dc01.domain.local = {
kdc = dc01.domain.local
default_domain = domain.local
}
[domain_realm]
.domain.local = dc01.domain.local
————-
Did I create the Krb5.ini file in the right format?
Thanks & Regards
Karan
The problem is you haven’t updated the domain controllers in your [realms] to point to real DCs. You’re just using my example file i.e. dc01.domain.local. You need to find out what the names are of your DCs and update accordingly. You can normally figure this out with a wireshark trace, or just ask your system admin type people. The error message is basically telling you this, i.e. it can’t get the username/password for rmatte/Merrill1009
Cheers,
Tim
Hi Tim, I’ve updated the Krb5.ini file but getting different error message now “Miscellaneous failure Server not found in Kerberos database [MsgId: MERR-27734]”
I’m seeing Domain name as “YYYY”, Server Name as “Webserver1″, Domain DNS Name as “yyyy.asd.as.com” and Server DNS Name as “Webserver1.yyyy.asd.as.com” in the Wireshark.
—————–
Krb5.ini file is
[libdefaults]
default_realm = YYYY.ASD.AS.COM
default_keytab_name = c:\winnt\krb5.keytab
default_tkt_enctypes = des-cbc-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 rc4-hmac
[realms]
Webserver1.yyyy.asd.as.com = {
kdc = Webserver1.yyyy.asd.as.com
default_domain = yyyy.asd.as.com
}
Webserver2.yyyy.asd.as.com = {
kdc = Webserver2.yyyy.asd.as.com
default_domain = yyyy.asd.as.com
}
Webserver3.yyyy.asd.as.com = {
kdc = Webserver3.yyyy.asd.as.com
default_domain = yyyy.asd.as.com
}
[domain_realm]
.yyyy.asd.as.com = Webserver1.yyyy.asd.as.com
.yyyy.asd.as.com = Webserver2.yyyy.asd.as.com
.yyyy.asd.as.com = Webserver3.yyyy.asd.as.com
—————
There are 3 web servers in the test bed.
Did i create the ini file in the right way?
Thanks alot for your help.
Karan
Hi Tim, I’ve updated the Krb5.ini file but getting different error message now “Miscellaneous failure Server not found in Kerberos database [MsgId: MERR-27734]”
I’m seeing Domain name as “YYYY”, Server Name as “Webserver1″, Domain DNS Name as “yyyy.asd.as.com” and Server DNS Name as “Webserver1.yyyy.asd.as.com” in the Wireshark.
—————–
Krb5.ini file is
[libdefaults]
default_realm = YYYY.ASD.AS.COM
default_keytab_name = c:\winnt\krb5.keytab
default_tkt_enctypes = des-cbc-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 rc4-hmac
[realms]
Webserver1.yyyy.asd.as.com = {
kdc = Webserver1.yyyy.asd.as.com
default_domain = yyyy.asd.as.com
}
Webserver.yyyy.asd.as.com = {
kdc = Webserver2.yyyy.asd.as.com
default_domain = yyyy.asd.as.com
}
Webserver3.yyyy.asd.as.com = {
kdc = Webserver3.yyyy.asd.as.com
default_domain = yyyy.asd.as.com
}
[domain_realm]
.yyyy.asd.as.com = Webserver1.yyyy.asd.as.com
.yyyy.asd.as.com = Webserver2.yyyy.asd.as.com
.yyyy.asd.as.com = Webserver3.yyyy.asd.as.com
—————
Did I create the ini file in the right way?
Thanks alot for your time & help.
Karan
Mate you’re missing the point! Don’t put your webservers in there!! You need to put your domain controllers in there, the servers that look after your kerberos domain! If you don’t know what I’m talking about I suggest you read here first or ask a sysadmin to help explain your security setup to you… Get familar with wireshark, observe a manual test case and watch how your authentication happens in your domain. Fiddler is also useful from a client point of view.
http://en.wikipedia.org/wiki/Kerberos_(protocol)
Hey Tim,
do you know if the “INITIAL_BASIC_AUTH” is supported by LR8.1 ?
Cheers
Not sure mate would have to go to HP on that one. As it stands this flag is not documented anywhere AFAIK. I was testing on 9+. Have a crack and post any error messages you get here.
Regards,
Tim
Tim,
thanks. The F1 help for 8.1 has no mention of the “INITIAL_BASIC_AUTH†however when i run the
web_set_sockets_option(“HELP”,”");
i can see the “INITIAL_BASIC_AUTH†option.
web_set_sockets_option parameters =================================
INITIAL_BASIC_AUTH : Send basic authentithication to server before receiving HTTP error
etc etc
The error i’m receiving is the one mentioned previously above “Warning -26000: can’t get initial credentials for username/password userxxxxx/Password1″
I am looking into the krb5.ini file setup. Thought i had set it up right but getting it looked into.
Cheers
John
OK good to know that. Didn’t realise you could get help on the web_set_sockets_option. There’s lots of resources out there about setting up krb5 config files and generating keytabs (although I didn’t have to for our setup which was IBM WebSEAL / SSO/ AD)
Good luck with it!
Tim
Hi Tim,
we use LoadRunner 9.1.
The thing I can’t understand is how you manage to change the user onto Kerberos authentification.
For example
web_set_user(“user1″,”pwd1″);
user1 is connected on Windows.
The user connected to app is user1.
Now we try to make
web_set_user(“user2″,”pwd1″);
user1 is connected on Windows.
The script work fine but the user conencted on app is “user1″ and not “user2″.
How to make that works.
Thanks for your reply