Created attachment 31801 [details] Patch to alter SPN generation behaviour in AuthManager.java We are load testing a server using Kerberos authentication, but the server principal name is not being generated in the format that the server expects. JMeter appears to use this format: HTTP/example-server.com but our server expects: HTTP/example-server.com:12345 (where 12345 is the port number of the site being tested). Chrome has a command-line switch '--enable-auth-negotiate-port' (disabled by default) that adds this port number to the SPN for sites that are on a port other than 80 or 443. (This is documented at http://dev.chromium.org/developers/design-documents/http-authentication) - using this switch allows the site to be browsed in Chrome. Could a similar option be added to JMeter? At the moment I've hacked a solution in src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java that adds the port number on if it is a non-standard port to mimic Chrome's behaviour with the switch enabled. This obviously needs putting behind some sort of option but I haven't had time to code this properly. My diff is attached in case this is useful to anyone.
Hello, Thanks for patch. I commited it to trunk nearly as is without adding option as it does not seem necessary to me. But it would be great if you could test toward your initial site and a site with regular port (80 or 443). Version should be available in nightly build: http://jmeter.apache.org/nightly.html Installing JMeter runtime Download the _bin and _lib files Unpack the archives into the same directory structure The other archives are not needed to run JMeter. Philippe M. @philmdot
Date: Wed Jul 16 14:42:17 2014 New Revision: 1611028 URL: http://svn.apache.org/r1611028 Log: Bug 56701 - HTTP Authorization Manager/ Kerberos Authentication: add port to SPN when server port is neither 80 nor 443 Bugzilla Id: 56701 Modified: jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java jmeter/trunk/xdocs/changes.xml
Hello Felix, AS you are the Kerberos expert of JMeter, it would be nice to have your opinion on this issue and fix in nightly build. Thanks for your help in advance Regards Philippe
I don't think that it is a good idea to make a non default option, that is available in only one major browser, to be the default for jmeter. As written in the chrome url given in an cited by Dan only chrome supports the port embedded in the spn. IE and firefox will not embed ports into the spn. As SPNEGO is essential a child of microsoft, I would opt to be compatible with IE as the default. (I have done my tests only with firefox, though) The easiest solution would be to introduce a system property to decide which algortihm should be used. But it might be, that someone would like to test two different systems, which behave different in respect to port embedded into spn. (We could wait for that to happen :)
Hello Felix, Thanks for feedback. Currently what will happen is the following: - If port if 443 or 80 then it will not be appended. - If port is none of the above , then :<port> will be appended. With this behaviour , is your note still valid ? If yes I will introduce a system property. Thanks
Yes, that is exactly what I meant. Firefox and IE will produce a SPN HTTP/hostname for every given port. Chrome will do that as default. Chrome will construct a HTTP/hostname:port SPN only if you start it with --enable-auth-negotiate-port. So I would opt for generating HTTP/hostname as default for every given port. If someone really wants HTTP/hostname:port for non standard ports (80 and 443) we should give him a chance by setting a system property (something like -Dorg.apache.jmeter.enable-auth-negotiate-port=true)
Thanks a lot for feedback Felix. You think System property is better of jmeter property ? Feel free to contribute a patch, otherwise I should be handling this in the upcoming days. Regards
Created attachment 31831 [details] Add an option to enable the chrome optional behavior Haven't tested it yet against my kerberos setup. But you can review it anyway, since the changes seems to be trivial enough. Will add a comment, as soon as I tested it against my previous setup (using a tomcat listening on port 8080)
Date: Fri Jul 18 20:05:59 2014 New Revision: 1611785 URL: http://svn.apache.org/r1611785 Log: Bug 56701 - HTTP Authorization Manager/ Kerberos Authentication: add port to SPN when server port is neither 80 nor 443 Add a jmeter property to control behaviour. By default strip port. Bugzilla Id: 56701 Modified: jmeter/trunk/bin/jmeter.properties jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java jmeter/trunk/xdocs/changes.xml jmeter/trunk/xdocs/usermanual/component_reference.xml
Thanks a lot Felix, I updated the name of property to relate it to kerberos.
I have tested the current trunk against my test setup, which uses HTTP/www.example.com@EXAMPLE.COM as SPN for a tomcat service which runs on port 8080. That setup works. I have tried to change my SPN to HTTP/www.example.com:8080@EXAMPLE.COM. Generated a new ktab for tomcat, changed kerberos.spnego.strip_port to "false". And tried again. It seems to use the correct SPN, but tomcat can't authenticate that SPN with its keytab against apacheds. That might be a setup problem though. So all in all. I think the feature will do, what the original requestor wants.
This issue has been migrated to GitHub: https://github.com/apache/jmeter/issues/3394