Hi Felix, Maybe docs could be amended to help on this ? Regards On Fri, Jan 16, 2015 at 1:25 PM, Felix Schumacher < [email protected]> wrote:
> > > Am 16. Januar 2015 13:21:32 MEZ, schrieb Martijn de Vrieze < > [email protected]>: > >Hey Felix, > > > >you are indeed right! Got it working now. Needed to flip the URL in > >krb5 to the Domain Controller and switch off the default_tkt_enctypes > >and default_tgs_enctypes > Glad, that I could help you. > > > > >How do I stop anwsering in top-post style? Sorry, no idea what I > >should do differently, I just hit reply in gmail. > Can't help you there, but a google search might help. > > Regards > Felix > > > > > > > >On Fri, Jan 16, 2015 at 12:59 PM, Felix Schumacher > ><[email protected]> wrote: > >> > >> Am 16.01.2015 10:49, schrieb Martijn de Vrieze: > >>> > >>> Hey Felix, > >>> > >>> thanks for the help so far :) > >>> BTW, does it make a difference that I am working from a 64b Linux > >box? > >>> Although when within the domain, on a windows (citrix) box I get the > >same > >>> errors. > >> > >> I do my testing from linux, so I am sure, that linux works. > >> > >>> > >>> I started off initially trying it over 88, which gives the exact > >same > >>> time-out. > >> > >> Then maybe not only the port is wrong, but the dns name also? The kdc > >is not the website server you are trying to connect to, but the key > >distribution center, that is the kerberos server. > >> > >>> > >>> When I asked the implementation partner they claimed it should just > >run > >>> over 443, but than again, what do they know :) > >> > >> If they tell you it is 443, they probably mean the webserver, which > >is most likely not the kdc. > >> > >>> > >>> One thing I have noticed so far, is that the request headers contain > >>> nothing towards auth types: > >> > >> That is OK, since you have no TGT or service ticket and if it is the > >first request no knowlegde, that the server is willing to speak SPNEGO. > >> > >> > >>> > >>> > >>> Request Headers: > >>> Connection: keep-alive > >>> User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; > >WOW64; > >>> Trident/6.0) > >>> Accept: > >text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > >>> Accept-Language: en-US,en;q=0.5 > >>> Accept-Encoding: gzip, deflate > >>> Pragma: no-cache > >>> Cache-Control: no-cache > >>> Host: tst-crm20.veh.nl > >>> > >>> Whereas the response header does tell me the www-auth => negotiate > >>> > >>> Thread Name: Jmeter 1-1 > >>> Sample Start: 2015-01-16 10:36:01 CET > >>> Load time: 90209 > >>> Latency: 90208 > >>> Size in bytes: 485 > >>> Headers size in bytes: 425 > >>> Body size in bytes: 60 > >>> Sample Count: 1 > >>> Error Count: 1 > >>> Response code: 401 > >>> Response message: Unauthorized > >>> > >>> Response headers: > >>> HTTP/1.1 401 Unauthorized > >>> Cache-Control: private > >>> Transfer-Encoding: chunked > >>> Content-Type: text/plain > >>> Server: Microsoft-IIS/8.5 > >>> X-AspNet-Version: 4.0.30319 > >>> REQ_ID: e73cba80-97e4-4444-a201-a50ab6957a31 > >>> Set-Cookie: ReqClientId=51c362af-23e0-4dad-a299-10e6bf67c310; > >expires=Fri, > >>> 16-Jan-2065 09:37:31 GMT; path=/; secure; HttpOnly > >>> WWW-Authenticate: Negotiate > >> > >> This is good, as it means that the server is willing to speak SPNEGO > >with you. > >> > >>> X-Powered-By: ASP.NET > >>> Date: Fri, 16 Jan 2015 09:37:31 GMT > >>> > >>> > >>> HTTPSampleResult fields: > >>> ContentType: text/plain > >>> DataEncoding: null > >>> > >>> > >>> > >>> Also, Tried connecting straight through Java and that worked like a > >charm. > >>> > >>> Code is somewhat like this: > >>> > >>> public class NTLM_ping { > >>> public NTLM_ping(){ > >>> super(); > >>> } > >>> > >>> public static void main(String[]args) throws Exception { > >>> > >>> DefaultHttpClient httpClient = new DefaultHttpClient(); > >>> httpClient.getAuthSchemes().register("ntlm",new > >>> NTLMSchemeFactory()); > >> > >> That is great, but you are not using kerberos here. > >> > >> This is NTLM, which you could use with jmeter, too. I believe you > >have to fill in the domain and > >> realm columns and use BASIC_DIGEST instead of Kerberos. > >> > >> But keep in mind, that kerberos is cooler and probably more secure. > >> > >>> > >>> // add credentials > >>> > >>> httpClient.getCredentialsProvider().setCredentials( > >>> new AuthScope("TEST", -1), > >>> new > >NTCredentials("m.devrieze","PassWord","tst-crm20.test.nl > >>> ","TEST")); > >>> > >>> HttpGet httpGet = new HttpGet("http://tst-crm20.test.nl";); > >>> > >>> // ignore cookies > >>> > >/*httpGet.getParams().setParameter("http.protocol.cookie-policy", > >>> CookiePolicy.ACCEPT_ALL); > >>> */ > >>> try{ > >>> // execute the GET > >>> HttpResponse status = httpClient.execute(httpGet); > >>> System.out.println(status.getProtocolVersion()); > >>> > >System.out.println(status.getStatusLine().getStatusCode()); > >>> > >System.out.println(status.getStatusLine().getReasonPhrase()); > >>> System.out.println(status.getStatusLine().toString()); > >>> }finally { > >>> // release any sources > >>> } > >>> > >> And by the way, could you stop answering in top-post style? > >> > >> Regards > >> Felix > >> > >> > >>> > >>> > >>> > >>> On Fri, Jan 16, 2015 at 10:21 AM, Felix Schumacher < > >>> [email protected]> wrote: > >>> > >>>> Am 16.01.2015 09:58, schrieb Martijn de Vrieze: > >>>> > >>>>> krb5.conf > >>>>> > >>>>> [libdefaults] > >>>>> default_realm = TEST.NL > >>>>> default_tkt_enctypes = > >aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 > >>>>> default_tgs_enctypes = > >aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 > >>>>> forwardable=true > >>>>> > >>>>> [realms] > >>>>> TEST.NL = { > >>>>> kdc = tst-crm20.test.nl:443 > >>>>> > >>>> This is a strange port for a kdc. I would expect it to listen on > >88. > >>>> > >>>> } > >>>>> > >>>>> > >>>>> [domain_realm] > >>>>> test.nl= TEST.NL > >>>>> .test.nl= TEST.NL > >>>>> > >>>>> [appdefaults] > >>>>> pam = { > >>>>> debug = false > >>>>> ticket_lifetime = 36000 > >>>>> renew_lifetime = 36000 > >>>>> forwardable = true > >>>>> krb4_convert = false > >>>>> } > >>>>> > >>>>> jaas.conf > >>>>> > >>>>> > >>>>> JMeter { > >>>>> com.sun.security.auth.module.Krb5LoginModule required > >>>>> doNotPrompt=false > >>>>> useKeyTab=false > >>>>> storeKey=false; > >>>>> }; > >>>>> > >>>>> On rerunning I recieved the following error (which I have not seen > >before: > >>>>> 2015/01/16 09:57:52 WARN - > >>>>> org.apache.http.client.protocol.RequestTargetAuthentication: > >NEGOTIATE > >>>>> authentication error: No valid credentials provided (Mechanism > >level: No > >>>>> valid credentials provided (Mechanism level: Failed to find any > >Kerberos > >>>>> tgt)) > >>>>> > >>>> That is probably because you don't connect to the right port and > >noone > >>>> responds to you. Try another kdc port. > >>>> > >>>> Regards > >>>> Felix > >>>> > >>>>> > >>>>> *Martijn de Vrieze* > >>>>> > >>>>> > >>>>> > >>>>> Phone: +31618707784 | Skype: martijndevrieze | gtalk: > >>>>> [email protected] | Twitter: > >>>>> http://www.twitter.com/martijndevrieze | Linkedin: > >>>>> http://www.linkedin.com/in/martijndevrieze | Home: > >>>>> http://www.martijndevrieze.nl > >>>>> > >>>>> On Fri, Jan 16, 2015 at 9:01 AM, Felix Schumacher < > >>>>> [email protected]> wrote: > >>>>> > >>>>> Am 15.01.2015 22:48, schrieb Martijn de Vrieze: > >>>>>> > >>>>>> > >>>>>> I have been struggling somewhat with JMeter and kerberos lately. > >Google > >>>>>> so > >>>>>> > >>>>>>> far has not been able to help me out with the issue I am facing. > >>>>>>> > >>>>>>> The system under test is a Microsoft CRM 2013 platform, up until > >a few > >>>>>>> days > >>>>>>> ago my tests worked fine since basic auth was switched on. > >However on > >>>>>>> the > >>>>>>> most recent drop with changes they also switched over to > >kerberos auth > >>>>>>> only. > >>>>>>> > >>>>>>> I have: > >>>>>>> * filled in the KRB5.CONF with all relevant information > >>>>>>> * HTTP AUTH Manager in the script with base URL, username, > >password, > >>>>>>> domain and KERBEROS filled in > >>>>>>> * HTTP Request defaults to ensure and enforce HTTP4 use, HTTPS > >over port > >>>>>>> 443 and the same base URL all over the place > >>>>>>> > >>>>>>> However I cannot get it to work properly, logging in simply > >refuses to > >>>>>>> work > >>>>>>> for me. I'd really appreciate some help here, I use Jmeter > >fairly often, > >>>>>>> with this I am however completely stuck. > >>>>>>> > >>>>>>> When running the first step, which instantly receives the > >KERBEROS ath > >>>>>>> request I get the following in my logs: > >>>>>>> > >>>>>>> 2015/01/15 17:13:02 INFO - jmeter.threads.JMeterThread: Thread > >started: > >>>>>>> Jmeter 1-1 > >>>>>>> 2015/01/15 17:13:02 INFO - jmeter.services.FileServer: Stored: > >>>>>>> users.csv > >>>>>>> 2015/01/15 17:13:02 DEBUG - > >jmeter.protocol.http.control.CacheManager: > >>>>>>> GET(OAH) http://tst-crm20.test.nl/TEST/main.aspx null > >>>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control. > >>>>>>> HC4CookieHandler: > >>>>>>> Found 0 cookies for http://tst-crm20.test.nl/TEST/main.aspx > >>>>>>> 2015/01/15 17:13:02 DEBUG - > >jmeter.protocol.http.control.CacheManager: > >>>>>>> inCache http://tst-crm20.test.nl/TEST/main.aspx null > >>>>>>> 2015/01/15 17:13:02 DEBUG - > >jmeter.protocol.http.control.AuthManager: > >>>>>>> Target URL strings to match against: > >http://tst-crm20.test.nl/TEST/ > >>>>>>> main.aspx > >>>>>>> and http://tst-crm20.test.nl:80/TEST/main.aspx > >>>>>>> <http://tst-crm20.test.nl/TEST/main.aspx> > >>>>>>> 2015/01/15 17:13:02 DEBUG - > >jmeter.protocol.http.control.AuthManager: > >>>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl > >>>>>>> 2015/01/15 17:13:02 DEBUG - > >jmeter.protocol.http.control.AuthManager: > >>>>>>> Matched > >>>>>>> 2015/01/15 17:13:02 DEBUG - > >jmeter.protocol.http.control.AuthManager: > >>>>>>> Target URL strings to match against: > >http://tst-crm20.test.nl/TEST/ > >>>>>>> main.aspx > >>>>>>> and http://tst-crm20.test.nl:80/TEST/main.aspx > >>>>>>> <http://tst-crm20.test.nl/TEST/main.aspx> > >>>>>>> 2015/01/15 17:13:02 DEBUG - > >jmeter.protocol.http.control.AuthManager: > >>>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl > >>>>>>> 2015/01/15 17:13:02 DEBUG - > >jmeter.protocol.http.control.AuthManager: > >>>>>>> Matched > >>>>>>> 2015/01/15 17:13:02 DEBUG - > >jmeter.protocol.http.control.AuthManager: > >>>>>>> m.devrieze > D=TEST R= M=KERBEROS > >>>>>>> 2015/01/15 17:13:02 DEBUG - > >jmeter.protocol.http.control.CacheManager: > >>>>>>> GET(OAH) http://tst-crm20.test.nl/TEST/main.aspx null > >>>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control. > >>>>>>> HC4CookieHandler: > >>>>>>> Found 0 cookies for http://tst-crm20.test.nl/TEST/main.aspx > >>>>>>> 2015/01/15 17:13:02 DEBUG - > >jmeter.protocol.http.control.CacheManager: > >>>>>>> inCache http://tst-crm20.test.nl/TEST/main.aspx null > >>>>>>> 2015/01/15 17:13:02 DEBUG - > >jmeter.protocol.http.control.AuthManager: > >>>>>>> Target URL strings to match against: > >http://tst-crm20.test.nl/TEST/ > >>>>>>> main.aspx > >>>>>>> and http://tst-crm20.test.nl:80/TEST/main.aspx > >>>>>>> <http://tst-crm20.test.nl/TEST/main.aspx> > >>>>>>> 2015/01/15 17:13:02 DEBUG - > >jmeter.protocol.http.control.AuthManager: > >>>>>>> Checking match against auth'n entry: http://tst-crm20.test.nl > >>>>>>> 2015/01/15 17:13:02 DEBUG - > >jmeter.protocol.http.control.AuthManager: > >>>>>>> Matched > >>>>>>> 2015/01/15 17:13:02 DEBUG - jmeter.protocol.http.control. > >>>>>>> KerberosManager: > >>>>>>> Subject cached:[] before:m.devrieze > >>>>>>> 2015/01/15 17:14:32 WARN - jmeter.protocol.http.control. > >>>>>>> KerberosManager: > >>>>>>> Could not log in user m.devrieze javax.security.auth.login. > >>>>>>> LoginException: > >>>>>>> Receive timed out > >>>>>>> > >>>>>>> It seems, that the kerberos server did not answer the request > >for a > >>>>>> > >>>>>> service ticket (at least not within the default timeout of 30s). > >>>>>> Could you rerun the test with the java system property > >>>>>> "sun.security.krb5.debug" set to true? > >>>>>> > >>>>>> Could you post the contents of your krb5.conf and jaas.conf file? > >>>>>> > >>>>>> Regards > >>>>>> Felix > >>>>>> > >>>>>> > >>>>>>> *Thanks! * > >>>>>>> > >>>>>>> *Martijn de Vrieze* > >>>>>>> > >>>>>>> > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [email protected] > >For additional commands, e-mail: [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Cordialement. Philippe Mouawad.
