Am 12.05.20 um 08:58 schrieb Dembla, Chandan: > Hello, > > In order to configure JMeter to use Kerberos/SPNEGO authentication , we have > done the below configurations : > > 1. In the "jaas.conf" file present in the bin folder for apache JMeter we > added the details for keytab and principal This is most probably wrong. Don't do it. (Or if you do it, use a keytab for the client) > 2. Also, the other properties that we set were use "keytab=true, > storekey=true and isInitator-=false".In short, the jaas.conf in JMeter > contains the same details as contained by our jaas.conf present on our server. Don't. JMeter is a client, not a server. > 3. We have configured the "krb5.conf" as mentioned in the JMeter help > guide.The krb5.conf contains the same details as the krb5.conf on our server. > 4. In the "system.properties"we uncommented the properties > "java.security.krb5.conf & java.security.auth.login.config" .We modified > these file paths to use absolute location of jaas.conf and krb5.conf present > in the bin folder of apache JMeter. > 5. In the "user.properties" file we uncommented the three properties > "kerberos_jaas_application=JMeter, kerberos.spnego.strip_port=true and > kerberos.spnego.delegate_cred=false."
Probably not needed but should do no harm. The thing you really need to use is an Authentication Manager and use it for the definition of your credentials. JMeter will use these credentials to create (well, ask for) kerberos tickets, which it then can use for the spnego part. > > When we send a REST request to our application using the appropriate > settings in the HTTP authentication manager via Jmeter, we observe in our > application logs that the authentication header has the value null and we are > getting the username as "tomcat". When we hit the REST url through a browser, > in our application logs we see that the authentication header starts with > "Negotiate" and our correct username is picked. Look at the headers from the first response. It has to include a "WWW-Authenticate: Negotiate" header. The requests URL has to match a base url of your authentication manager. The domain has to match the domain of your user and the mechanism has to be Kerberos. You can enable debug information for Java kerberos stuff by setting the java system property |-Dsun.security.krb5.debug=true | That should give quite a lot (probably too much) information about all things the JVM does with respect to kerberos. Felix|| || > > > > > Thanks/ Best Regards/ Mit freundlichen Grüßen, > > Chandan Dembla > -- > Knorr-Bremse Technology Center India Pvt. Ltd > > Survey No. 276, Village Mann, Hinjawadi, Phase-II, Tal Mulshi, > Pune - 411057, Maharashtra, India > Phone: +91-20-39959028 > Mobile: +91-9922111920 > Fax: +91 20 3914 7099 > mailto: > [email protected]<mailto:[email protected]> > http://www.knorr-bremse.com<http://www.knorr-bremse.com/> > > > This transmission is intended solely for the addressee and contains > confidential information. > If you are not the intended recipient, please immediately inform the sender > and delete the message and any attachments from your system. > Furthermore, please do not copy the message or disclose the contents to > anyone unless agreed otherwise. To the extent permitted by law we shall in no > way be liable for any damages, whatever their nature, arising out of > transmission failures, viruses, external influence, delays and the like. >
