Alas, it can’t be done in JMeter. So this is how it works in LoadRunner …
This challenge came up recently and we were able to figure out how to test SPNEGO or Kerberos using Integrated Windows Authentication with LoadRunner.
To test this I built a VM with Win2K3, an AD domain and IIS6. To enforce kerberos only authentication I modified IIS as per the following:
I didn’t have WebSEAL (which is what I was ultimately trying to simulate) but I believe this is reasonably close, to quote:
Integrated Windows authentication uses Kerberos v5 authentication and NTLM authentication. Kerberos is an industry-standard authentication protocol that is used to verify user or host identity. If Active Directory is installed on a domain controller running Windows 2000 Server or Windows Server 2003, and the client browser supports the Kerberos v5 authentication protocol, Kerberos v5 authentication is used; otherwise, NTLM authentication is used.
So to log on to my test page I needed to provide domain credentials in IE. I also made sure my client IE enforces IWA as per the following:
If I don’t provide my domain credentials (in this case: smallbusiness\fred) then I get knocked back with a 401 as expected.
On generation of my LR script the first response is a 401.2. It then does a second request with the authorization header i.e.
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==
The response header to this tells me to authenticate i.e.
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAGgAaADgAAAAFgomir1xcxf5zo2MAAAAAAAAAAOIA4gBSAAAABQLODgAAAA9TAE0AQQBMAEwAQgBVAFMASQBOAEUAUwBTAAIAGgBTAE0AQQBMAEwAQgBVAFMASQBOAEUAUwBTAAEAHgBLAE8ATwBQAFMALQA5ADYAWABZADIAVwBEAFUANgAEACYAcwBtAGEAbABsAGIAdQBzAGkAbgBlAHMAcwAuAGwAbwBjAGEAbAADAEYAawBvAG8AcABzAC0AOQA2AHgAeQAyAHcAZAB1ADYALgBzAG0AYQBsAGwAYgB1AHMAaQBuAGUAcwBzAC4AbABvAGMAYQBsAAUAJgBzAG0AYQBsAGwAYgB1AHMAaQBuAGUAcwBzAC4AbABvAGMAYQBsAAAAAAA=
The next request authorizes presumably with the correct token i.e.
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAIgAAAAYABgAoAAAABoAGgBIAAAACAAIAGIAAAAeAB4AagAAAAAAAAC4AAAABYKIogUCzg4AAAAPcwBtAGEAbABsAGIAdQBzAGkAbgBlAHMAcwBmAHIAZQBkAEsATwBPAFAAUwAtADkANgBYAFkAMgBXAEQAVQA2AB15bTxE3i63AAAAAAAAAAAAAAAAAAAAALQ6IC82wYIBXpniDchRG9zSW8/bC4891w==
From which the response is gravy, and my homepage loads.
So the recording process looks like it went through the necessary authentication steps.
Now in my LR script Action() I can set the domain credentials dynamically with web_set_user (hence emulate multiple users) i.e.
web_set_user("smallbusiness\\fred","********", "smallbusiness.local:80");
Then follow with a web_url request to the server i.e.
web_url("smallbusiness.local", "URL=http://smallbusiness.local/", "Resource=0", "RecContentType=text/html", "Referer=", "Snapshot=t1.inf", "Mode=HTML", LAST);
Play that back and it fails. (Assuming WebSEAL will reject NTLM which in this case my test rig won’t, but I can make that assumption…)
Now change a couple of runtime settings:
Internet Protocol->Preferences->Options->Authentication->Enable Integrated Authentication
This makes sure that when the server asks for authentication via the first 401.2/1, that SPNEGO/Negotiate/Kerberos is tried *first* before any other protocol (like NTLM)
You also need to change:
Internet Protocol->Preferences->Advanced->WinInet [checked]:
This instructs VuGen to use the WinInet replay engine instead of the standard Sockets replay. VuGen has two HTTP replay engines: Sockets-based (default) or WinInet based. The WinInet is the engine used by Internet Explorer and it supports all of the features incorporated into the IE browser. I think this *better* emulates the IE client settings for IWA …
And re-run the script. I now get past the authentication using Kerberos and successfully load my home page… This can be repeated for WebSEAL provided you first do a web_set_user (so it knows what domain credentials to use) which effectively lets you run the test with multiple users… Great for testing those WebSEAL/SPNEGO/Kerberos single sign on solutions… 
Remember, if you’re going to be testing via HTTPS then make sure you change the port number in your
web_set_user call!
web_set_user("smallbusiness\\fred","********", "smallbusiness.local:443");
thank you very much for the details. we have Web-click and script protocol used and SSO is not working. do you have any solution for that.
But thank you very much for the details you provided and i tried the concept you mention and it works for HTTP/HTML protocol but not with web click and script protocol, i will be very thankful if you could provide any details in regards to that.
regards,
Ibrahim.
Hi, this is a very informative narration of the SSO testing… How do I enable IP Spoofing with SSO (SPNEGO). WinInet and IP Spoofing don’t work together… Any Solution for this …..
Thanks,
Raj
You are a god.
Hi,
Thanks for the information you provided, it worked for me when i record the script thru web http/html, but the app i am loadtesting has some java ajax calls, so i need to use Ajax(click and script), i followed the same steps which provided for http/html but the script failed to reply.
I would appreciate if you could provide the solution.
Thanks in Advance..
Harry
Hi guys, I’ve provide improved instructions here
http://90kts.com/blog/2009/improved-spnego-or-kerberos-support-with-loadrunner/
This should help you out, particularly if WinInet was causing you dramas…
Enjoy
Hi,
I am testing a web app in these same conditions, I have set and configured all parameters as described in this article.
However while replaying my script i get the application authentication window and couldn’t go far.
is there any solution for that?
regards
Walid