Performance Testing SPNEGO or Kerberos with LoadRunner

27 October, 2008 – 7:15 pm

Alas, it can’t be done in JMeter. So this is how it works in LoadRunner …
This challenge came up recently and we were able to figure out how to test SPNEGO or Kerberos using Integrated Windows Authentication with LoadRunner.

To test this I built a VM with Win2K3, an AD domain and IIS6. To enforce kerberos only authentication I modified IIS as per the following:
kerb1.png

I didn’t have WebSEAL (which is what I was ultimately trying to simulate) but I believe this is reasonably close, to quote:

Integrated Windows authentication uses Kerberos v5 authentication and NTLM authentication. Kerberos is an industry-standard authentication protocol that is used to verify user or host identity. If Active Directory is installed on a domain controller running Windows 2000 Server or Windows Server 2003, and the client browser supports the Kerberos v5 authentication protocol, Kerberos v5 authentication is used; otherwise, NTLM authentication is used.

So to log on to my test page I needed to provide domain credentials in IE. I also made sure my client IE enforces IWA as per the following:
kerb2.png

If I don’t provide my domain credentials (in this case: smallbusiness\fred) then I get knocked back with a 401 as expected.

On generation of my LR script the first response is a 401.2. It then does a second request with the authorization header i.e.
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==

The response header to this tells me to authenticate i.e.
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAGgAaADgAAAAFgomir1xcxf5zo2MAAAAAAAAAAOIA4gBSAAAABQLODgAAAA9TAE0AQQBMAEwAQgBVAFMASQBOAEUAUwBTAAIAGgBTAE0AQQBMAEwAQgBVAFMASQBOAEUAUwBTAAEAHgBLAE8ATwBQAFMALQA5ADYAWABZADIAVwBEAFUANgAEACYAcwBtAGEAbABsAGIAdQBzAGkAbgBlAHMAcwAuAGwAbwBjAGEAbAADAEYAawBvAG8AcABzAC0AOQA2AHgAeQAyAHcAZAB1ADYALgBzAG0AYQBsAGwAYgB1AHMAaQBuAGUAcwBzAC4AbABvAGMAYQBsAAUAJgBzAG0AYQBsAGwAYgB1AHMAaQBuAGUAcwBzAC4AbABvAGMAYQBsAAAAAAA=

The next request authorizes presumably with the correct token i.e.
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAIgAAAAYABgAoAAAABoAGgBIAAAACAAIAGIAAAAeAB4AagAAAAAAAAC4AAAABYKIogUCzg4AAAAPcwBtAGEAbABsAGIAdQBzAGkAbgBlAHMAcwBmAHIAZQBkAEsATwBPAFAAUwAtADkANgBYAFkAMgBXAEQAVQA2AB15bTxE3i63AAAAAAAAAAAAAAAAAAAAALQ6IC82wYIBXpniDchRG9zSW8/bC4891w==

From which the response is gravy, and my homepage loads.
So the recording process looks like it went through the necessary authentication steps.

Now in my LR script Action() I can set the domain credentials dynamically with web_set_user (hence emulate multiple users) i.e.
web_set_user("smallbusiness\\fred","********", "smallbusiness.local:80");

Then follow with a web_url request to the server i.e.

	web_url("smallbusiness.local", 
		"URL=http://smallbusiness.local/", 
		"Resource=0", 
		"RecContentType=text/html", 
		"Referer=", 
		"Snapshot=t1.inf", 
		"Mode=HTML", 
		LAST);

Play that back and it fails. (Assuming WebSEAL will reject NTLM which in this case my test rig won’t, but I can make that assumption…)

Now change a couple of runtime settings:
Internet Protocol->Preferences->Options->Authentication->Enable Integrated Authentication
kerb3.png

This makes sure that when the server asks for authentication via the first 401.2/1, that SPNEGO/Negotiate/Kerberos is tried *first* before any other protocol (like NTLM)

You also need to change:
Internet Protocol->Preferences->Advanced->WinInet [checked]:
kerb4.png

This instructs VuGen to use the WinInet replay engine instead of the standard Sockets replay. VuGen has two HTTP replay engines: Sockets-based (default) or WinInet based. The WinInet is the engine used by Internet Explorer and it supports all of the features incorporated into the IE browser. I think this *better* emulates the IE client settings for IWA …

And re-run the script. I now get past the authentication using Kerberos and successfully load my home page… This can be repeated for WebSEAL provided you first do a web_set_user (so it knows what domain credentials to use) which effectively lets you run the test with multiple users… Great for testing those WebSEAL/SPNEGO/Kerberos single sign on solutions…
:)

Share it: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netscape
  • Reddit
  • Slashdot
  • Technorati
  • YahooMyWeb

  1. 2 Responses to “Performance Testing SPNEGO or Kerberos with LoadRunner”

  2. Remember, if you’re going to be testing via HTTPS then make sure you change the port number in your
    web_set_user call!


    web_set_user("smallbusiness\\fred","********", "smallbusiness.local:443");

    By Tim on Nov 22, 2008

  3. thank you very much for the details. we have Web-click and script protocol used and SSO is not working. do you have any solution for that.

    But thank you very much for the details you provided and i tried the concept you mention and it works for HTTP/HTML protocol but not with web click and script protocol, i will be very thankful if you could provide any details in regards to that.

    regards,
    Ibrahim.

    By Ibrahim Khan on Dec 28, 2008

Post a Comment

*
To prove that you're not a bot, enter this code
Anti-Spam Image

Login 90kts is proudly powered by WordPress Entries (RSS).