Improved SPNEGO or Kerberos support with LoadRunner

Apr 17 09 under Altentee | 18 Comments

Previously I identified a way in which to test SPNEGO or Kerberos authentication with LoadRunner. However this implementation was buggy in the sense that if you ran your load tests under reasonable load with the WinInet replay engine (instead of sockets) you were likely to encounter the following error:

Error -27492: "HttpSendRequest" failed, Windows error code=12057 (certificate revoked) and retry limit (0) exceeded for URL="
https://someplacesecure.com.au/secure.html", Snapshot Info [MSH 1 2]

This error occurs when using WinInet replay instead of sockets with Integrated Authentication enabled in run-time settings. The purpose of this was to allow vusers to use SSO with SPNEGO authentication in an IBM WebSEAL environment.

After spending some time with the mystical HP level 3 support, they identified an undocumented flag which helps out significantly in this. So, instead of using the WinInet replay engine (which is not encouraged by HP) you should do something similar to the following.

vuser_init()
{
 
	// Preferred run-time settings
	// Browser -> Browser Emulation
       // [ ] Simulate a new user on each iteration
       // Preferences -> Options
       // Enable Integration Authentication [Yes]
 
	web_set_sockets_option("INITIAL_BASIC_AUTH","1");
 
	web_set_user("DOMAIN.LOCAL\\username",
		"password",
		"someplacesecure.com.au:443");
 
	web_url("myportal",
		"URL=https://someplacesecure.com.au/wps",
		"Resource=0",
		"Referer=",
		"Mode=HTML",
		LAST);
 
	return 0;
}

The magic is in the web_set_sockets_option("INITIAL_BASIC_AUTH","1") flag. Set that and you can then use LoadRunner in Sockets mode which as it turns out, is much more stable.

Enjoy.

Read More

Performance Testing SPNEGO or Kerberos with LoadRunner

Oct 27 08 under Altentee | 7 Comments

Alas, it can’t be done in JMeter. So this is how it works in LoadRunner …
This challenge came up recently and we were able to figure out how to test SPNEGO or Kerberos using Integrated Windows Authentication with LoadRunner.

Read More

SSH and SCP over alternate ports

May 5 07 under Altentee | Comments Off

For an internet facing SSH server, it is probably common practice to have sshd listening on a non-standard port. Coupled with key pair authentication, this reduces the profile you present to simple brute force attacks.

Connecting to a SSH server on a non standard port is relatively simple:

ssh -p username@servername.com

You may however need to copy files from the SSH server on an alternate port. Easy:

scp -P username@servername.com:/path/to/remote/file ~/home/path/to/local/file

But what happens if you’re using a proprietary client other than scp from the console that won’t support non standard ports?

Read More

Faking it! (UDP packets that is…)

May 3 07 under Altentee | Comments Off

An associate of mine recently wanted a load script that could simulate thousands of UDP packets carrying a custom payload coming from different IP addresses. They were implementing a customised RFID solution that needed to simulate load from a lot of sources (think active RFID tags).

There are many different ways you can accomplish this, solutions like LoadRunner will offer the ability to spoof source IP addresses, but in this case the client couldn’t afford hefty licensing fees. So getting back to basics, I launched the *flood* from a cygwin shell running ruby.

The code looked a little like this…

Read More