Am 11.02.19 um 21:31 schrieb [email protected]:
Has anyone been successful in getting Jmeter to authenticate on a Windows client with a Windows server using "Negotiate" and Kerberos? This would look like a four step handshake in which the server responds first with a 302 re-direct, then twice with 401, Unauthorized, and finally with a 200, OK as the client sends progressively more security information.
The 302 has probably nothing to do with the authentication (at least not directly). The first 401 should include a WWW-Authenticate header with Negotiate in it. This should tell JMeter to initialize a kerberos context for a user and lead to a response with Authorization header that starts with Negotiate and contains quite a bit of base64 encoded data.
I have yet only seen servers that sent the 200 after the first response and don't need more information and I doubt that JMeter, or rather httpclient supports a login that spans over more than one roundtrip.
If not, has anyone determined that this does not work work in Jmeter? I can configure my HTTP Authorization Manager, and krb5.conf and jaas.conf files, but Jmeter will not respond to the challenge from the server. I am not seeing any Java exceptions. However, in the Jmeter log, for each of the last three request/response pairs, I see: DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Authentication schemes in the order of preference: [Negotiate, Kerberos, NTLM, CredSSP, Digest, Basic] DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Challenge for Kerberos authentication scheme not available DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Challenge for CredSSP authentication scheme not available DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Challenge for Digest authentication scheme not available DEBUG o.a.h.i.c.TargetAuthenticationStrategy: Challenge for Basic authentication scheme not available
Are you sure, that your krb5.conf and jaas.conf are getting used? Try to enable more debug information and have a look, whether you really ask for kerberos tickets on the JMeter side.
Regards, Felix
Thanks. This message and any attachments (the "Message") may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: https://legal.dimensional.com/email The sender of this Message is an independent contractor or consultant engaged by Dimensional Fund Advisors LP, its subsidiaries and/or affiliates (collectively, "DFA") for a limited purpose. The sender is not an employee, officer or director of DFA, and does not have the authority to enter into any agreement or undertaking on behalf of DFA or bind DFA in any way. Any questions concerning the authority of the sender should be directed to an appropriate officer or employee of DFA. For a list of DFA officers, please use this link: https://us.dimensional.com/firm/leadership
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
