Highlighted
Absent Member.
Absent Member.
6003 views

LoadRunner and SPNEGO/Kerberos/NTLM

I have recorded a script that points to a SPNEGO-authenticated web site. In the run-time settings, 'Integrated Authentication' has been enabled. But I get this error while replaying the script:

...

vuser_init.c(16): HTTP Status-Code=401 (Authorization Required) for "http://server.domain.net/app/" [MsgId: MMSG-26630]
vuser_init.c(16): Attempting retry due to the above HTTP Status-Code of 401 for "http://server.domain.net/app/" [MsgId: MMSG-26678]
vuser_init.c(16): t=684ms: reporting user data point RETRY_401 [MsgId: MMSG-26000]
vuser_init.c(16): t=687ms: Already connected to server.domain.net:80 [MsgId: MMSG-26000]
vuser_init.c(16): Error -27734: Internal Error - Miscellaneous failure
Server not found in Kerberos database
[MsgId: MERR-27734]
vuser_init.c(16): Error -27764: Request "http://server.domain.net/app/" failed [MsgId: MERR-27764]
vuser_init.c(16): t=1038ms: Closed connection to server.domain.net:80 after completing 0 requests [MsgId: MMSG-26000]
vuser_init.c(16): web_url("url1") highest severity level was "ERROR", 255 body bytes, 557 header bytes, 11 chunking overhead bytes [MsgId: MMSG-26387]
Abort was called from an action.
vuser_init.c(16): t=1055ms: Closed connection to server.domain.net:80 after completing 1 request [MsgId: MMSG-26000]

...


Any clues, as to what could be the issue. Is there something amiss in the configuration - Loadrunner side or the Kerberos server(s) side?

Thanks!
0 Likes
9 Replies
Highlighted
Absent Member.. Absent Member..
Absent Member..

Have you correlated the script?

Play back your script with "Always sned messages" and "Extended log" turned on with "Parameter sub" and "Data returned by server" selected and post the portion of the replay log where the authentication is attempted. Maybe we can help after seeing that output.

Alan
0 Likes
Highlighted
Absent Member.
Absent Member.

btw, this is on Loadrunner 9 with 'Integrated Authentication' enabled. The vital question here is, how does one make LR work with SPNEGO? In my case, enabling 'Integrated Authentication' is not enough to get things working.

I don't see anything to be co-related as the problem is with the first ever request sent to the server; It seems, LR is not able to respond to the 'Negotiate' challenge. Following is the replay trace with enhanced logging.

vuser_init.c(16): web_url("url1") started [MsgId: MMSG-26355]
vuser_init.c(16): t=376ms: Connecting to host 10.255.125.40:80 [MsgId: MMSG-26000]
vuser_init.c(16): t=439ms: Connected socket from 10.44.187.93:3534 to 10.255.125.40:80 in 61 ms [MsgId: MMSG-26000]
vuser_init.c(16): t=441ms: 269-byte request headers for "http://server.domain.net/app/Login.do" (RelFrameId=1, Internal ID=1)
vuser_init.c(16): GET /app/Login.do HTTP/1.1\r\n
vuser_init.c(16): User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; In
vuser_init.c(16): foPath.1; .NET CLR 1.1.4322)\r\n
vuser_init.c(16): Accept-Encoding: gzip, deflate\r\n
vuser_init.c(16): Accept-Language: en-gb\r\n
vuser_init.c(16): Accept: */*\r\n
vuser_init.c(16): Connection: Keep-Alive\r\n
vuser_init.c(16): Host: server.domain.net\r\n
vuser_init.c(16): \r\n
vuser_init.c(16): t=526ms: 318-byte response headers for "http://server.domain.net/app/Login.do" (RelFrameId=1, Internal ID=1)
vuser_init.c(16): HTTP/1.1 401 Authorization Required\r\n
vuser_init.c(16): Date: Tue, 19 Feb 2008 16:18:36 GMT\r\n
vuser_init.c(16): Server: Apache\r\n
vuser_init.c(16): Set-Cookie: JSESSIONID=H7BcV4rC682JmT34brw6rRGm3dynVjgQQ3ttjKmW5TCNd2TlS4G2!-991057780; pa
vuser_init.c(16): th=/\r\n
vuser_init.c(16): WWW-Authenticate: Negotiate\r\n
vuser_init.c(16): Content-Length: 0\r\n
vuser_init.c(16): Keep-Alive: timeout=15, max=100\r\n
vuser_init.c(16): Connection: Keep-Alive\r\n
vuser_init.c(16): Content-Type: text/html\r\n
vuser_init.c(16): \r\n
vuser_init.c(16): HTTP Status-Code=401 (Authorization Required) for "http://server.domain.net/app/Login.do" [MsgId: MMSG-26630]
vuser_init.c(16): Attempting retry due to the above HTTP Status-Code of 401 for "http://server.domain.net/app/Login.do" [MsgId: MMSG-26678]
vuser_init.c(16): t=451ms: reporting user data point RETRY_401 [MsgId: MMSG-26000]
vuser_init.c(16): t=453ms: Already connected to server.domain.net:80 [MsgId: MMSG-26000]
vuser_init.c(16): Error -27734: Internal Error - Miscellaneous failure
Server not found in Kerberos database
[MsgId: MERR-27734]
vuser_init.c(16): Error -27764: Request "http://server.domain.net/app/Login.do" failed [MsgId: MERR-27764]
vuser_init.c(16): t=902ms: Closed connection to server.domain.net:80 after completing 0 requests [MsgId: MMSG-26000]
vuser_init.c(16): web_url("url1") highest severity level was "ERROR", 0 body bytes, 319 header bytes [MsgId: MMSG-26388]
Abort was called from an action.
0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

I see that this is line 16 in the init section. Is this the first call? If not it would be helpful to see all the returned data before the authentication failure.

I do not have experience specifically with SPNEGO but have tested apps with other types of authentication with no problems.

Since the forum base is currently limited I suggest if you have not already done so, open up a ticket with HP. They should be able to help. In the mean time if there is additional data before what you have posted here please post it so we can take a look.

Alan
0 Likes
Highlighted
Absent Member.
Absent Member.

under runtime settings > internet protocol > prefrences select wininet replay instead of sockets. in the advanced options section undet authentication set enable integrated authentication to yes.

This should help
0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Gulen,

I am facing a similar issue to this right now.

Did you ever get to the bottom of the issue and successful test a Kerberos protected site?

Also, this article looks helpful.

http://90kts.com/blog/2008/performance-testing-spnego-or-kerberos-with-loadrunner/

I haven't asked the team to try it yet, but it is hopeful.

Thanks,
TC
0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Gulen,
You will need to download spnego.dll from Microsoft. You will probably need to customise it a little in Visual Studio as all tokens are of a different length (there is some information on this on the download site)MSDN search for Kerberos Token. Load the customised spnego.dll (lr_load_dll) and apply it in a custom header. Should work in sockets or integrated authorisation but it does stop all LoadRunner transactions working (and custom C code) at the point where the .dll is loaded. Good luck.
Colin.
0 Likes
Highlighted
Absent Member.
Absent Member.

Shot in the dark: web_set_user()?
Oliver
0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Gulen,
I can send you all the work I did (successfully) if you want, I've just stumbled across it, I'll need to take some sensitive stuff out of it but it's not a problem if it will help. I have the SPNEGO source code and a sample .dll too. One thing that accurred to me too, the kit you're working with will probably need Kerberos.ini applied too, there's plenty of documentation about that on MSDN.
Colin.
0 Likes
Highlighted
Absent Member.
Absent Member.

Gulen,
It would be great if you could post your solution (in as much detail as possible) so that others can benefit.

Thanks!

Mike
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.