Hey Felix, you are indeed right! Got it working now. Needed to flip the URL in krb5 to the Domain Controller and switch off the default_tkt_enctypes and default_tgs_enctypes
How do I stop anwsering in top-post style? Sorry, no idea what I should do differently, I just hit reply in gmail. On Fri, Jan 16, 2015 at 12:59 PM, Felix Schumacher <[email protected]> wrote: > > Am 16.01.2015 10:49, schrieb Martijn de Vrieze: >> >> Hey Felix, >> >> thanks for the help so far :) >> BTW, does it make a difference that I am working from a 64b Linux box? >> Although when within the domain, on a windows (citrix) box I get the same >> errors. > > I do my testing from linux, so I am sure, that linux works. > >> >> I started off initially trying it over 88, which gives the exact same >> time-out. > > Then maybe not only the port is wrong, but the dns name also? The kdc is not > the website server you are trying to connect to, but the key distribution > center, that is the kerberos server. > >> >> When I asked the implementation partner they claimed it should just run >> over 443, but than again, what do they know :) > > If they tell you it is 443, they probably mean the webserver, which is most > likely not the kdc. > >> >> One thing I have noticed so far, is that the request headers contain >> nothing towards auth types: > > That is OK, since you have no TGT or service ticket and if it is the first > request no knowlegde, that the server is willing to speak SPNEGO. > > >> >> >> Request Headers: >> Connection: keep-alive >> User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; >> Trident/6.0) >> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> Accept-Language: en-US,en;q=0.5 >> Accept-Encoding: gzip, deflate >> Pragma: no-cache >> Cache-Control: no-cache >> Host: tst-crm20.veh.nl >> >> Whereas the response header does tell me the www-auth => negotiate >> >> Thread Name: Jmeter 1-1 >> Sample Start: 2015-01-16 10:36:01 CET >> Load time: 90209 >> Latency: 90208 >> Size in bytes: 485 >> Headers size in bytes: 425 >> Body size in bytes: 60 >> Sample Count: 1 >> Error Count: 1 >> Response code: 401 >> Response message: Unauthorized >> >> Response headers: >> HTTP/1.1 401 Unauthorized >> Cache-Control: private >> Transfer-Encoding: chunked >> Content-Type: text/plain >> Server: Microsoft-IIS/8.5 >> X-AspNet-Version: 4.0.30319 >> REQ_ID: e73cba80-97e4-4444-a201-a50ab6957a31 >> Set-Cookie: ReqClientId=51c362af-23e0-4dad-a299-10e6bf67c310; expires=Fri, >> 16-Jan-2065 09:37:31 GMT; path=/; secure; HttpOnly >> WWW-Authenticate: Negotiate > > This is good, as it means that the server is willing to speak SPNEGO with you. > >> X-Powered-By: ASP.NET >> Date: Fri, 16 Jan 2015 09:37:31 GMT >> >> >> HTTPSampleResult fields: >> ContentType: text/plain >> DataEncoding: null >> >> >> >> Also, Tried connecting straight through Java and that worked like a charm. >> >> Code is somewhat like this: >> >> public class NTLM_ping { >> public NTLM_ping(){ >> super(); >> } >> >> public static void main(String[]args) throws Exception { >> >> DefaultHttpClient httpClient = new DefaultHttpClient(); >> httpClient.getAuthSchemes().register("ntlm",new >> NTLMSchemeFactory()); > > That is great, but you are not using kerberos here. > > This is NTLM, which you could use with jmeter, too. I believe you have to > fill in the domain and > realm columns and use BASIC_DIGEST instead of Kerberos. > > But keep in mind, that kerberos is cooler and probably more secure. > >> >> // add credentials >> >> httpClient.getCredentialsProvider().setCredentials( >> new AuthScope("TEST", -1), >> new NTCredentials("m.devrieze","PassWord","tst-crm20.test.nl >> ","TEST")); >> >> HttpGet httpGet = new HttpGet("http://tst-crm20.test.nl";); >> >> // ignore cookies >> /*httpGet.getParams().setParameter("http.protocol.cookie-policy", >> CookiePolicy.ACCEPT_ALL); >> */ >> try{ >> // execute the GET >> HttpResponse status = httpClient.execute(httpGet); >> System.out.println(status.getProtocolVersion()); >> System.out.println(status.getStatusLine().getStatusCode()); >> System.out.println(status.getStatusLine().getReasonPhrase()); >> System.out.println(status.getStatusLine().toString()); >> }finally { >> // release any sources >> } >> > And by the way, could you stop answering in top-post style? > > Regards > Felix > > >> >> >> >> On Fri, Jan 16, 2015 at 10:21 AM, Felix Schumacher < >> [email protected]> wrote: >> >>> Am 16.01.2015 09:58, schrieb Martijn de Vrieze: >>> >>>> krb5.conf >>>> >>>> [libdefaults] >>>> default_realm = TEST.NL >>>> default_tkt_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>>> default_tgs_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>>> forwardable=true >>>> >>>> [realms] >>>> TEST.NL = { >>>> kdc = tst-crm20.test.nl:443 >>>> >>> This is a strange port for a kdc. I would expect it to listen on 88. >>> >>> } >>>> >>>> >>>> [domain_realm] >>>> test.nl= TEST.NL >>>> .test.nl= TEST.NL >>>> >>>> [appdefaults] >>>> pam = { >>>> debug = false >>>> ticket_lifetime = 36000 >>>> renew_lifetime = 36000 >>>> forwardable = true >>>> krb4_convert = false >>>> } >>>> >>>> jaas.conf >>>> >>>> >>>> JMeter { >>>> com.sun.security.auth.module.Krb5LoginModule required >>>> doNotPrompt=false >>>> useKeyTab=false >>>> storeKey=false; >>>> }; >>>> >>>> On rerunning I recieved the following error (which I have not seen before: >>>> 2015/01/16 09:57:52 WARN - >>>> org.apache.http.client.protocol.RequestTargetAuthentication: NEGOTIATE >>>> authentication error: No valid credentials provided (Mechanism level: No >>>> valid credentials provided (Mechanism level: Failed to find any Kerberos >>>> tgt)) >>>> >>> That is probably because you don't connect to the right port and noone >>> responds to you. Try another kdc port. >>> >>> Regards >>> Felix >>> >>>> >>>> *Martijn de Vrieze* >>>> >>>> >>>> >>>> Phone: +31618707784 | Skype: martijndevrieze | gtalk: >>>> [email protected] | Twitter: >>>> http://www.twitter.com/martijndevrieze | Linkedin: >>>> http://www.linkedin.com/in/martijndevrieze | Home: >>>> http://www.martijndevrieze.nl >>>> >>>> On Fri, Jan 16, 2015 at 9:01 AM, Felix Schumacher < >>>> [email protected]> wrote: >>>> >>>> Am 15.01.2015 22:48, schrieb Martijn de Vrieze: >>>>> >>>>> >>>>> I have been struggling somewhat with JMeter and kerberos lately. Google >>>>> so >>>>> >>>>>> far has not been able to help me out with the issue I am facing. >>>>>> >>>>>> The system under test is a Microsoft CRM 2013 platform, up until a few >>>>>> days >>>>>> ago my tests worked fine since basic auth was switched on. However on >>>>>> the >>>>>> most recent drop with changes they also switched over to kerberos auth >>>>>> only. >>>>>> >>>>>> I have: >>>>>> * filled in the KRB5.CONF with all relevant information >>>>>> * HTTP AUTH Manager in the script with base URL, username, password, >>>>>> domain and KERBEROS filled in >>>>>> * HTTP Request defaults to ensure and enforce HTTP4 use, HTTPS over port >>>>>> 443 and the same base URL all over the place >>>>>> >>>>>> However I cannot get it to work properly, logging in simply refuses to >>>>>> work >>>>>> for me. I'd really appreciate some help here, I use Jmeter fairly often, >>>>>> with this I am however completely stuck. >>>>>> >>>>>> When running the first step, which instantly receives the KERBEROS ath >>>>>> request I get the following in my logs: >>>>>> >>>>>> 2015/01/15 17:13:02 INFO - jmeter.threads.JMeterThread: Thread started: >>>>>> Jmeter 1-1 >>>>>> 2015/01/15 17:13:02 INFO - jmeter.services.FileServer: Stored: >>>>>> users.csv >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.CacheManager: >>>>>> GET(OAH) http://tst-crm20.test.nl/TEST/main.aspx null >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control. >>>>>> HC4CookieHandler: >>>>>> Found 0 cookies for http://tst-crm20.test.nl/TEST/main.aspx >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.CacheManager: >>>>>> inCache http://tst-crm20.test.nl/TEST/main.aspx null >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.AuthManager: >>>>>> Target URL strings to match against: http://tst-crm20.test.nl/TEST/ >>>>>> main.aspx >>>>>> and http://tst-crm20.test.nl:80/TEST/main.aspx >>>>>> <http://tst-crm20.test.nl/TEST/main.aspx> >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.AuthManager: >>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.AuthManager: >>>>>> Matched >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.AuthManager: >>>>>> Target URL strings to match against: http://tst-crm20.test.nl/TEST/ >>>>>> main.aspx >>>>>> and http://tst-crm20.test.nl:80/TEST/main.aspx >>>>>> <http://tst-crm20.test.nl/TEST/main.aspx> >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.AuthManager: >>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.AuthManager: >>>>>> Matched >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.AuthManager: >>>>>> m.devrieze > D=TEST R= M=KERBEROS >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.CacheManager: >>>>>> GET(OAH) http://tst-crm20.test.nl/TEST/main.aspx null >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control. >>>>>> HC4CookieHandler: >>>>>> Found 0 cookies for http://tst-crm20.test.nl/TEST/main.aspx >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.CacheManager: >>>>>> inCache http://tst-crm20.test.nl/TEST/main.aspx null >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.AuthManager: >>>>>> Target URL strings to match against: http://tst-crm20.test.nl/TEST/ >>>>>> main.aspx >>>>>> and http://tst-crm20.test.nl:80/TEST/main.aspx >>>>>> <http://tst-crm20.test.nl/TEST/main.aspx> >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.AuthManager: >>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control.AuthManager: >>>>>> Matched >>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control. >>>>>> KerberosManager: >>>>>> Subject cached:[] before:m.devrieze >>>>>> 2015/01/15 17:14:32 WARN - jmeter.protocol.http.control. >>>>>> KerberosManager: >>>>>> Could not log in user m.devrieze javax.security.auth.login. >>>>>> LoginException: >>>>>> Receive timed out >>>>>> >>>>>> It seems, that the kerberos server did not answer the request for a >>>>> >>>>> service ticket (at least not within the default timeout of 30s). >>>>> Could you rerun the test with the java system property >>>>> "sun.security.krb5.debug" set to true? >>>>> >>>>> Could you post the contents of your krb5.conf and jaas.conf file? >>>>> >>>>> Regards >>>>> Felix >>>>> >>>>> >>>>>> *Thanks! * >>>>>> >>>>>> *Martijn de Vrieze* >>>>>> >>>>>> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
