Improved SPNEGO or Kerberos support with LoadRunner
Previously I identified a way in which to test SPNEGO or Kerberos authentication with LoadRunner. However this implementation was buggy in the sense that if you ran your load tests under reasonable load with the WinInet replay engine (instead of sockets) you were likely to encounter the following error:
Error -27492: "HttpSendRequest" failed, Windows error code=12057 (certificate revoked) and retry limit (0) exceeded for URL="
https://someplacesecure.com.au/secure.html", Snapshot Info [MSH 1 2]
This error occurs when using WinInet replay instead of sockets with Integrated Authentication enabled in run-time settings. The purpose of this was to allow vusers to use SSO with SPNEGO authentication in an IBM WebSEAL environment.
After spending some time with the mystical HP level 3 support, they identified an undocumented flag which helps out significantly in this. So, instead of using the WinInet replay engine (which is not encouraged by HP) you should do something similar to the following.
vuser_init() { // Preferred run-time settings // Browser -> Browser Emulation // [ ] Simulate a new user on each iteration // Preferences -> Options // Enable Integration Authentication [Yes] web_set_sockets_option("INITIAL_BASIC_AUTH","1"); web_set_user("DOMAIN.LOCAL\\username", "password", "someplacesecure.com.au:443"); web_url("myportal", "URL=https://someplacesecure.com.au/wps", "Resource=0", "Referer=", "Mode=HTML", LAST); return 0; }
The magic is in the web_set_sockets_option("INITIAL_BASIC_AUTH","1") flag. Set that and you can then use LoadRunner in Sockets mode which as it turns out, is much more stable.
Enjoy.
April 23rd, 2009 - 14:48
PS. You will also need a file called krb5.ini available in your system path i.e. C:\windows
It should look something like this:
[libdefaults]
default_realm = DOMAIN.LOCAL
default_keytab_name = FILE:c:\winnt\krb5.keytab
default_tkt_enctypes = des-cbc-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 rc4-hmac
[realms]
dc01.domain.local = {
kdc = dc01.domain.local
default_domain = domain.local
}
[domain_realm]
.domain.local = dc01.domain.local
May 7th, 2009 - 14:33
I tried using the statement you specified and it resulted in script failures. I also noticed that INITIAL_BASIC_AUTH is not listed as avaialble argument for web_set_sockets_option function. Did HP provide you with any custom dlls?
May 8th, 2009 - 12:41
No additional dll’s were provided. We’re using LR version 9. What version are you on? Also there is no documentation for that sockets option.
Regards,
Tim
August 27th, 2009 - 22:25
The documentation for web_set_sockets_option is present in LR9.5. But the first argument I cudn’t find there. I have tried all the options suggested, by my scripts won’t run. The error I get is “Kerberos can not recognize hostname”
Here is the error detail:
Action.c(235): Error -26630: HTTP Status-Code=401 (Unauthorized) for
“http://*******.com:8001/XXX//xxx/amf” [MsgId: MERR-26630]
Action.c(235): t=7169ms: Closing connection to server *******.com -
server indicated that the connection should be closed [MsgId:
MMSG-26000]
Action.c(235): t=7170ms: Closed connection to ********.com:8001 after
completing 1 request [MsgId: MMSG-26000]
Error -26000: An invalid name was supplied
Configuration file does not specify default realm
[initialize_name] [MsgId: MERR-26000]
Action.c(235): Error -27712: Kerberos can not recognize hostname An
invalid name was supplied
Configuration file does not specify default realm
[initialize_name]. [MsgId: MERR-27712]
Action.c(235): t=7192ms: Request done “http://**********.com:8001/XXX//
xxx/amf” [MsgId: MMSG-26000]
Action.c(235): flex_web_request(“amf”) highest severity level was
“ERROR”, 1518 body bytes, 167 header bytes [MsgId: MMSG-26388]
Ending action Action.
My browser also has “enable Integrated Authentication checked”
I dont have access to the krb5.ini file. Is this error due to the ini file? Can u help?
August 28th, 2009 - 19:05
Yes you will need to create a kerberos ini file. See my first comment in this post. Create it and store it somewhere accessible in your default path.
Regards,
Tim
October 9th, 2009 - 14:32
Hi Tim, I’m also facing the same problem for one of the application which I’m working. I’ve created the krb5.ini file and saved under c:\WINDOWS. But don’t know how to create keytab file. Could you please give me some tips how to create the keytab file.
Thanks in advance.
Regards
Karan
October 9th, 2009 - 15:23
In the end I didn’t have a keytab file. Can you post the error here?
October 9th, 2009 - 15:48
Hi Tim, Thanks a lot for your help.
Here are the details. currently we are using 9.5 version.
———-
Script
web_set_sockets_option(“INITIAL_BASIC_AUTH”,”1″);
web_set_user(“yyyy\\userid”, “pwd”, “app.com:80″);
web_url(“HomePage”,
“URL=http://app.com/”,
“TargetFrame=”,
“Resource=0″,
“RecContentType=text/html”,
“Referer=”,
“Snapshot=t1.inf”,
“Mode=HTML”,
LAST);
———————–
————-
Error message
Action.c(27): Continuing after Error -27734: Internal Error – can’t get initial credentials for username/password rmatte/Merrill1009 [MsgId: MERR-27734]
—————–
————-
Krb5.ini
[libdefaults]
default_realm = DOMAIN.LOCAL
default_keytab_name = FILE:c:\winnt\krb5.keytab
default_tkt_enctypes = des-cbc-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 rc4-hmac
[realms]
dc01.domain.local = {
kdc = dc01.domain.local
default_domain = domain.local
}
[domain_realm]
.domain.local = dc01.domain.local
————-
Did I create the Krb5.ini file in the right format?
Thanks & Regards
Karan
October 9th, 2009 - 16:18
The problem is you haven’t updated the domain controllers in your [realms] to point to real DCs. You’re just using my example file i.e. dc01.domain.local. You need to find out what the names are of your DCs and update accordingly. You can normally figure this out with a wireshark trace, or just ask your system admin type people. The error message is basically telling you this, i.e. it can’t get the username/password for rmatte/Merrill1009
Cheers,
Tim
October 9th, 2009 - 17:37
Hi Tim, I’ve updated the Krb5.ini file but getting different error message now “Miscellaneous failure Server not found in Kerberos database [MsgId: MERR-27734]”
I’m seeing Domain name as “YYYY”, Server Name as “Webserver1″, Domain DNS Name as “yyyy.asd.as.com” and Server DNS Name as “Webserver1.yyyy.asd.as.com” in the Wireshark.
—————–
Krb5.ini file is
[libdefaults]
default_realm = YYYY.ASD.AS.COM
default_keytab_name = c:\winnt\krb5.keytab
default_tkt_enctypes = des-cbc-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 rc4-hmac
[realms]
Webserver1.yyyy.asd.as.com = {
kdc = Webserver1.yyyy.asd.as.com
default_domain = yyyy.asd.as.com
}
Webserver2.yyyy.asd.as.com = {
kdc = Webserver2.yyyy.asd.as.com
default_domain = yyyy.asd.as.com
}
Webserver3.yyyy.asd.as.com = {
kdc = Webserver3.yyyy.asd.as.com
default_domain = yyyy.asd.as.com
}
[domain_realm]
.yyyy.asd.as.com = Webserver1.yyyy.asd.as.com
.yyyy.asd.as.com = Webserver2.yyyy.asd.as.com
.yyyy.asd.as.com = Webserver3.yyyy.asd.as.com
—————
There are 3 web servers in the test bed.
Did i create the ini file in the right way?
Thanks alot for your help.
Karan
October 9th, 2009 - 19:26
Hi Tim, I’ve updated the Krb5.ini file but getting different error message now “Miscellaneous failure Server not found in Kerberos database [MsgId: MERR-27734]”
I’m seeing Domain name as “YYYY”, Server Name as “Webserver1″, Domain DNS Name as “yyyy.asd.as.com” and Server DNS Name as “Webserver1.yyyy.asd.as.com” in the Wireshark.
—————–
Krb5.ini file is
[libdefaults]
default_realm = YYYY.ASD.AS.COM
default_keytab_name = c:\winnt\krb5.keytab
default_tkt_enctypes = des-cbc-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 rc4-hmac
[realms]
Webserver1.yyyy.asd.as.com = {
kdc = Webserver1.yyyy.asd.as.com
default_domain = yyyy.asd.as.com
}
Webserver.yyyy.asd.as.com = {
kdc = Webserver2.yyyy.asd.as.com
default_domain = yyyy.asd.as.com
}
Webserver3.yyyy.asd.as.com = {
kdc = Webserver3.yyyy.asd.as.com
default_domain = yyyy.asd.as.com
}
[domain_realm]
.yyyy.asd.as.com = Webserver1.yyyy.asd.as.com
.yyyy.asd.as.com = Webserver2.yyyy.asd.as.com
.yyyy.asd.as.com = Webserver3.yyyy.asd.as.com
—————
Did I create the ini file in the right way?
Thanks alot for your time & help.
Karan
October 9th, 2009 - 19:42
Mate you’re missing the point! Don’t put your webservers in there!! You need to put your domain controllers in there, the servers that look after your kerberos domain! If you don’t know what I’m talking about I suggest you read here first or ask a sysadmin to help explain your security setup to you… Get familar with wireshark, observe a manual test case and watch how your authentication happens in your domain. Fiddler is also useful from a client point of view.
http://en.wikipedia.org/wiki/Kerberos_(protocol)
October 19th, 2009 - 17:40
Hey Tim,
do you know if the “INITIAL_BASIC_AUTH” is supported by LR8.1 ?
Cheers
October 19th, 2009 - 18:11
Not sure mate would have to go to HP on that one. As it stands this flag is not documented anywhere AFAIK. I was testing on 9+. Have a crack and post any error messages you get here.
Regards,
Tim
October 20th, 2009 - 13:25
Tim,
thanks. The F1 help for 8.1 has no mention of the “INITIAL_BASIC_AUTH†however when i run the
web_set_sockets_option(“HELP”,”");
i can see the “INITIAL_BASIC_AUTH†option.
web_set_sockets_option parameters =================================
INITIAL_BASIC_AUTH : Send basic authentithication to server before receiving HTTP error
etc etc
The error i’m receiving is the one mentioned previously above “Warning -26000: can’t get initial credentials for username/password userxxxxx/Password1″
I am looking into the krb5.ini file setup. Thought i had set it up right but getting it looked into.
Cheers
John
October 20th, 2009 - 17:23
OK good to know that. Didn’t realise you could get help on the web_set_sockets_option. There’s lots of resources out there about setting up krb5 config files and generating keytabs (although I didn’t have to for our setup which was IBM WebSEAL / SSO/ AD)
Good luck with it!
Tim