Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..
4498 views

HTTPS Protocol Replay issues in Vugen 12.5x

Jump to solution

Hello community,

I am able to access the web application with credentials but when replaying in VuGen 12.53, there is an error message saying

Action.c(12): Error-26630:HTTP Status-Code=401 (Unauthorized) for "https://abcdef.aspx" [Msgid: MERR-26630]

When I tried to access this URL in the recorded Action.c by clicking URL then I was able to access.

It looks like the issue arises only when the recorded script is replaying within VuGen.

HTTP Stauts 401 just means that the page cannot be loaded until right credentials are provided which it did in the recorded script.

Any ideas what's causing this issue?

Thanks in advance,

0 Likes
1 Solution

Accepted Solutions
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

A last suggestion: Try to record in HTML i.s.o. URL mode (and again test with various NTLM options).

After above failed, I would suggest to open a support ticket.

Signature:
Reward community members who take time to respond and help.

View solution in original post

14 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Next to supplying correct credentials, the web application uses some kind of SessionId to know that you have supplied the correct credentials. You need to apply correlation to your script: find those numbers/strings that will change each time you have entered the credentials. Look for special Header fields. This is a tricky part and can be very complex.

Please share some code so that we might be able to advice or consult your stakeholders (development department), they should be able to tell you how they implement this.

Signature:
Reward community members who take time to respond and help.
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Thanks JHF for response.

It is secure environment so it's not possible to share the majority of code. However, this is some portion that I can show.

In the beginning of script:

web_set_sockets_option("SSL_VERSION", "2&3");

web_set_user("secure.net\\username",
    lr_decrypt("afsdfaerd231312sdafdf"),
    "website_url:443");

The rest of script consist of a typical web_url with following format:

web_url("xxx",
    "URL=xxx"
    "Resource=1",
    "RecContentType=text/javascript",
    "Referer=https://xxxx",
    "Snapshot=xxx.inf",
    LAST);

I looked at lr_decrypt string value and the credential is correctly typed and used.

FYI, I am an authorized user on the application and manually I am able to access the web application without any problem. This error happens only in replaying from VuGen. Also, when recorded the script I have successfully entered my authentication detials in NLMN authentiation popup.

Based on the web_set_user, correct credential is used and showed. However, during replay, perhaps it's not taking this credential for some reasons and that's why there is an error message "Error-26630:HTTP Status-Code=401 (Unauthorized) for xxxx [Msgid: MERR-26630]

Any thoughts?

Thanks in advance,

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

After your login ( web_set_user() ) some 'token' should be returned by your web-server that token should then be send with each next call from client to server. This can be a special header field, cookie or can be part of your URL in your web_url() call.

You have to identify this token and parameterize it. When you cannot share more than you do, it will be hard to handle.

Look to the correlation functionality of VuGen, it should help you to identify these per-session differences.

An alternative might be: When you make a recording, LR makes a log file most of time found in <LR-folder>/data/CodeGenerationLog.txt. Just make two simple recordings of the login and first request page that gives now error 401. Consult the mentioned log file and look for differences that might identify the security token that is used.

You are hitting the fundamentals of LR's HTTP(S) based recordings. Try to read documentation and look for LR correlation on the internet. You might also ask your manager to follow some LR training, else I forsee a long journey that is also not effective for your company (hidden costs).

 

Signature:
Reward community members who take time to respond and help.
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Thanks JHF for reponse.

I've attached the recorded script from VuGen.

If you can provide some lights, much appreicated it.

Thanks in advance,

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

All data in the web-calls is scrambled. You really need to make two recordings and compare the results: which part is equal and what is different.

Try to find the differences in the log file I mentioned before and see if there is a pattern of a response value is used in next call.

Signature:
Reward community members who take time to respond and help.
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

I was just going over the fix list from LR 12.60 backwards and I found this fix text "web_add_auto_hearder adds the "Authorization" header only on the first request sent" This is fixed in 12.55 and you reported you are on 12.53.

When your web application uses Basic authentication, you might check if you need the Authorization header and fill it with the propper format.

Check your recording log for this header.

Signature:
Reward community members who take time to respond and help.
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Thanks JHF for response.

I am currently going through the script and trying to find out what may causing the issue.

Yes, I see there is Authorization inside the Request and I believe this works as SessionID or Token or some sorts of authentication.

Here is a tricky part though. The script contains mutliple web_url. Each web_url, there is a different Authorization. I assume there should be one Authorizaiton in the script.

I understand the different scripts may have different Authorizations, but I expect the same Authorization within the script throughout. It looks like this is not the case for the script I am working on.

Is it possible to have different Authorizations within the script with different web_url? Is this norm or unusual?

The examples I saw when researched, most of applications within the script have one session id or token or authentication, not multiple within the same script.

Am I mistakenly undersanding here? Pleaes correct me If I understand something incorrectly.

Thanks,

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

I think that you should realy contact the development group of this web service to get a better understanding of the used Authentication method.

But still a few remarks: "Here is a tricky part though. The script contains mutliple web_url. Each web_url, there is a different Authorization. I assume there should be one Authorizaiton in the script." Is there a response-request chain of: Response-Autorization is Request-Authorization or alike?

Does your web side has some java script that do special things with the Authorization header?

"Is it possible to have different Authorizations within the script with different web_url? Is this norm or unusual?" Not for the Basic Authentication as far as I understand (see given link above).

I think that someone with proper experience might resolve the issue for you, but than you have to share/disclose the full recording trace.

 

 

Signature:
Reward community members who take time to respond and help.
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

JHF, thanks for response.

Contacted the developer and waiting for response. On the meantime, below is the answer to your quesetions and findings.

Looking at the Headers, request-authorization and reponse-authorization look similar but not the same.

The web application is embedded with a lot of java scripts and not sure if they do speical things with the Authorization header. This should be addressed by developers.

I've attached the screen shots for what I am seeing for Request and Response in Headers.

Let me know if you have any inputs or thoughts.

Thanks very much in advance,

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

From your screenshots I see that you use NTLM authentication and not Basic.

Google on "LoadRunner NTLM authentication" at least here some links, I did not look closely into these articals, so I hope they are relevant.

Does-LoadRunner-passes-with-NTLM-Authentication

hp-loadrunner-runtime-settings-preferences-authentication

protocols-web-http/html-NTLM

Signature:
Reward community members who take time to respond and help.
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

JHF,

Yes, the authentication is NLTM not basic. Sorry I passed along wrong information.

I've looked through the links on the post but I was not able to find the information that was related to the issue.

I have tried many options for this issue, but so far no luck and I am getting the same error message whichever method I tried.

1) Tried with WinlNet level data instaed of Socket level data.
2) Tried with Socket level and WinlNet level data
3) Runtime Setting->Authentication->tried a variety of options listed and combination of those
4) Placed web_set_sockets_option("SSL_VERSION", "TLS")
5) Looked through all of KB articles related to NTLM issue, but was not able to find ones.
6) Looked at the correlation functionality, URL recorded within web_url function. However, I don't believe this is causing the issue.
7) Made two recordings with identical transactions and compared. There were some differences but nothing significant such as "Snapshot=xxx.inf".
😎 The main issue is that it cannot get to the main URL of application with an error message 401.

The closest KB article about NTLM that I found this following:
https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-/facetsearch/document/KM870594

Yes, the first two status is 401 and the third status is 200 OK based on the CodeGenerationLog. However, my case when replaying, it still giving 401.

Are there anything I can do to resolve this issue? I don't believe I am the first one to experience this. Any guidance or suggestaions are appreciated it.

Thanks in advance

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.