解决了

用Kerberos SSO Neoload 2023.1

  • 2023年7月26日
  • 4回复
  • 12的观点
凯特
Userlevel 5
徽章 + 2
  • 凯特
  • 社区经理
  • 72回复

你好,

自neoload 9.2到2023.1的迁移,调用url不再要求Kerberso认证工作

即使测试工具jre \ bin \ java jar bin \ \ kerberos-tester-1.0.1-all工具。jar它不工作了

调试是真的storeKey假useTicketCache假useKeyTab假doNotPrompt假ticketCache是null isInitiator真正的KeyTab零refreshKrb5Config假主要是null tryFirstPass是假useFirstPass是错误的对于storePass是假clearPass是错误的

给用户名和密码进行谈判

(Krb5LoginModule)用户输入用户名:XXXXX

> > > KdcAccessibility:重置

(Krb5LoginModule)身份验证失败

不支持默认etyp default_tkt_enctypes

支持不启动谈判,如果允许将回退到其他方案。原因:

GSSException:没有提供有效身份证件(机制水平:没有提供有效身份证件(机制层面:为了获得新的启动凭证失败!(空)))

在java.security.jgss / sun.security.jgss.spnego.SpNegoContext。initSecContext(未知来源)

在java.security.jgss / sun.security.jgss.GSSContextImpl。initSecContext(未知来源)

在java.security.jgss / sun.security.jgss.GSSContextImpl。initSecContext(未知来源)

在java.security.jgss / sun.net.www.protocol.http.spnego.NegotiatorImpl.init(未知来源)

在java.security.jgss / sun.net.www.protocol.http.spnego.NegotiatorImpl。< init >(未知来源)

在java.base / jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(本地方法)

在java.base / jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(未知来源)

在java.base / jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(未知来源)

在java.base / java.lang.reflect.Constructor。newInstance(未知源)

(最初要求和解决支持中心)

图标

最佳答案社区管理员2023年7月26日17:02

Ok got it. This is only a doc option so in your krb5.conf there's no encryption set and it uses the default. When we look at the two output you have provided from the Kerberos tools we can see that in 9.2.1 we have \"default_tgs_enctypes: 18 17 20 19 16 23\" whereas in 2023.1 it's \"default_tgs_enctypes: 18 17 20 19\"<\/p>

It means that 16 and 23 are not part in the default anymore. Looking on the Internet this is for \"des3-cbc-sha1-kd\" and \"rc4-hmac\". Both are deprecated.<\/p>

I'm not able to confirm if one of them has been used by 9.2.1 but maybe you could check directly on the machine using the \"klist -e\" command to check the encryption used. Then this could be \"forced\" in your krb5.conf.<\/p>

You can also force with the two missing encryption in 2023 to check if it makes any difference like :<\/p>

default_tgs_enctypes = des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 rc4-hmac<\/p>

Another way to check would be to capture the traffic.<\/p>

You should open a support ticket if this information does not help since it seems tricky.<\/p>

Thanks<\/p>","className":"post__content__best_answer"}">

查看原始
质量问题,凯特
Hello,<\/p>

Since the migration from neoload 9.2 to 2023.1, calls to urls requiring Kerberso authentication no longer work<\/p>

even with test tool jre\\bin\\java -jar bin\\tools\\kerberos-tester-1.0.1-all.jar it doesn't work anymore<\/p>

\u00a0<\/p>

\u00a0<\/p>

Debug is\u00a0 true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false<\/p>

Feeding username and password for Negotiate<\/p>

[Krb5LoginModule] user entered username: XXXXX<\/p>

\u00a0<\/p>

>>> KdcAccessibility: reset<\/p>

[Krb5LoginModule] authentication failed\u00a0<\/p>

no supported default etypes for default_tkt_enctypes<\/p>

Negotiate support not initiated, will fallback to other scheme if allowed. Reason:<\/p>

GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null)))<\/p>

at java.security.jgss\/sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)<\/p>

at java.security.jgss\/sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)<\/p>

at java.security.jgss\/sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)<\/p>

at java.security.jgss\/sun.net.www.protocol.http.spnego.NegotiatorImpl.init(Unknown Source)<\/p>

at java.security.jgss\/sun.net.www.protocol.http.spnego.NegotiatorImpl.<init>(Unknown Source)<\/p>

at java.base\/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)<\/p>

at java.base\/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)<\/p>

at java.base\/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)<\/p>

at java.base\/java.lang.reflect.Constructor.newInstance(Unknown Source)<\/p>

\u00a0<\/p>

[Originally asked and solved on Support Hub]<\/p>","quoteUsername":"Kat","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote & Reply","Share":"Share"}}}">

4回复

C
Userlevel 3
徽章 + 2

你好,我不知道任何有关Kerberos NeoLoad 9.2之间变化。xx和2023.1。你能确认在同一台机器上9.2。xx工作和2023.1不?

在2023.1你配置文件从“ntlm”转向“spnego”并使用相同的krb5。在两个版本配置文件吗?

如果需要你可以捕捉Wireshark的网络流量而重现用户的路径。你应该能够比较的Kerberos参数发送两个不同的版本。

Hello, i'm not aware of any change about Kerberos between NeoLoad 9.2.xx and 2023.1. Could you confirm that on the same machine 9.2.xx works and 2023.1 does not?<\/p>

In 2023.1 have you switched the configuration file from \"ntlm\" to \"spnego\" and used the exact same krb5.conf file on both versions?<\/p>

If needed you could capture with Wireshark the network traffic while replaying your user path. You should be able to compare the Kerberos parameters sent from the two different versions.<\/p>","quoteUsername":"Community Administrator","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote & Reply","Share":"Share"}}}">

凯特
Userlevel 5
徽章 + 2

你好,
在相同的linux 9.2 Neoload工作但不是在jre 2023.1(包括测试工具/ bin / java jar bin /工具/ kerberos-tester-1.0.1-all。jar)

krb5相同。配置文件, same authentification value in controller.properties (scheme.negotiate.subprotocol=spnego
scheme.priority =谈判,ntlm、消化、基本)

在附件看到日志

2个附件
质量问题,凯特
Hello,
On the same linux with Neoload 9.2 it's work but not in\u00a0 2023.1 (both tests with tool jre\/bin\/java -jar bin\/tools\/kerberos-tester-1.0.1-all.jar )\u00a0<\/p>

Same krb5.conf file, same authentification value in controller.properties (scheme.negotiate.subprotocol=spnego
scheme.priority=negotiate,ntlm,digest,basic)<\/p>

See in attachments both logs<\/p>","quoteUsername":"Kat","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote & Reply","Share":"Share"}}}">

C
Userlevel 3
徽章 + 2

好了。这只是一个在你krb5文档选项。配置没有加密设置,它使用默认值。当我们看你提供的两个输出从9.2.1 Kerberos工具我们可以看到,我们有“default_tgs_enctypes: 18日17日20日19日16 23”而在2023.1“default_tgs_enctypes: 18 17 20 19”

这意味着16 - 23不属于默认了。这是在互联网上寻找“des3-cbc-sha1-kd”和“rc4-hmac”。两者都是弃用。

我不能确认是否他们已经被9.2.1之一,但也许你可以检查直接在机器上使用“中- e”命令来检查所使用的加密。这可能是“被迫”krb5 . conf。

你也可以迫使2023年失踪两个加密检查如果任何区别:

default_tgs_enctypes = des3-cbc-sha1-kd aes128 - cts - hmac - sha1 - 96 rc4-hmac

另一种方法来检查将捕获的交通。

你应该打开一个支持票如果这些信息并没有帮助,因为它看起来很棘手。

谢谢

Ok got it. This is only a doc option so in your krb5.conf there's no encryption set and it uses the default. When we look at the two output you have provided from the Kerberos tools we can see that in 9.2.1 we have \"default_tgs_enctypes: 18 17 20 19 16 23\" whereas in 2023.1 it's \"default_tgs_enctypes: 18 17 20 19\"<\/p>

It means that 16 and 23 are not part in the default anymore. Looking on the Internet this is for \"des3-cbc-sha1-kd\" and \"rc4-hmac\". Both are deprecated.<\/p>

I'm not able to confirm if one of them has been used by 9.2.1 but maybe you could check directly on the machine using the \"klist -e\" command to check the encryption used. Then this could be \"forced\" in your krb5.conf.<\/p>

You can also force with the two missing encryption in 2023 to check if it makes any difference like :<\/p>

default_tgs_enctypes = des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 rc4-hmac<\/p>

Another way to check would be to capture the traffic.<\/p>

You should open a support ticket if this information does not help since it seems tricky.<\/p>

Thanks<\/p>","quoteUsername":"Community Administrator","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote & Reply","Share":"Share"}}}">

凯特
Userlevel 5
徽章 + 2

你好,

我和krb5试试。配置文件

[libdefaults]
default_realm = xxx.xx.xxxx
default_tgs_enctypes = des3-cbc-sha1-kd aes128 - cts - hmac - sha1 - 96 rc4-hmac
default_tkt_enctypes = des3-cbc-sha1-kd aes128 - cts - hmac - sha1 - 96 rc4-hmac

.....

相同的结果,它是好的在2023.1 9.2和ko

我不开票价tricentis支持网站。188金宝搏app苹果下载软件不知道为什么。

2个附件
质量问题,凯特
Hello,<\/p>

I try with krb5.conf file<\/p>

[libdefaults]
default_realm = xxx.xx.xxxx
default_tgs_enctypes = des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 rc4-hmac
default_tkt_enctypes = des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 rc4-hmac<\/p>

.....<\/p>

Same result, it's Ok in 9.2 and ko in 2023.1<\/p>

I cant not open ticket on tricentis support website. Don't know why.<\/p>","quoteUsername":"Kat","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote & Reply","Share":"Share"}}}">

回复


ShiftSync条款和条件
Learn more about our cookies.<\/a>","cookiepolicy.button":"Accept cookies","cookiepolicy.button.deny":"Deny all","cookiepolicy.link":"Cookie settings","cookiepolicy.modal.title":"Cookie settings","cookiepolicy.modal.content":"We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.<\/a>","cookiepolicy.modal.level1":"Basic
Functional","cookiepolicy.modal.level2":"Normal
Functional + analytics","cookiepolicy.modal.level3":"Complete
Functional + analytics + social media + embedded videos"}}}">

金宝搏app官网下载
Baidu
map