Kerberos overview
You can run HTTP tests against servers that use the Kerberos protocol for authentication.
Introduction
Kerberos is a security authentication protocol that requires users and services to provide proof of identity.
Kerberos is supported only for HTTP tests on Rational Performance Tester.
Supported environments
Kerberos is supported on HTTP for Web servers running Internet Information Server (IIS) or WebSphere with the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI). Additionally, the Key Distribution Center (KDC) must be part of the Windows Domain Controller Active Directory. Internet Explorer and Mozilla Firefox browsers are supported for recording tests. Kerberos is not supported on other protocols, environments, or browsers.
For example, a KDC running on Linux is not supported.
Tips
For best results when you record tests that use Kerberos authentication, specify the host by name, not by numeric IP address. Also, note that user information is case-sensitive. Specify user information using the exact logon name from the user account in Active Directory. The User logon name field in the properties for the user in Active Directory displays the correct user name in the correct case.
To the right of the user name the realm or domain name is displayed in the correct case.
For example:
- User ID: kerberostester
- Password: secret
- Realm: ABC.IBM.COM
User logon names of the form ABC\kerberostester are not supported.
Troubleshooting
Kerberos authentication is a complex process. If you encounter problems when you attempt to record and play back tests that use Kerberos authentication, change the problem determination log level toAll and run the tests again with only one virtual user.
To learn more about the problem determination log, see the help topic on changing the problem determination level. After running a test, the CommonBaseEvents00.log file on the agent computer contains information that can help you determine why Kerberos authentication failed.
Terms
- Active Directory
- Active Directory is an implementation of Lightweight Directory Access Protocol directory services created by Microsoft for use primarily in Windows environments. The main purpose of Active Directory is to provide central authentication and authorization services for Windows computers. With Active Directory, administrators can assign policies, deploy software, and apply critical updates to an organization.
- Directory service
- A directory service is a software application or set of applications that store and organize information about the users and resources of a computer network.
- Generic Security Services Application Program Interface (GSS-API)
- The GSS-API enables programs to access security services. The GSS-API alone does not provide any security. Instead, security service providers provide GSS-API implementations, typically in the form of libraries installed with their security software. Sensitive application messages can be wrapped, or encrypted, by the GSS-API to provide secure communication between client and server. Typical protections that GSS-API wrapping provides include confidentiality (secrecy) and integrity (authenticity). The GSS-API can also provide local authentication about the identity of a remote user or remote host.
- Key Distribution Center (KDC)
- The authentication server in a Kerberos environment is called the Key Distribution Center.
- LDAP
- LDAP is an application protocol for querying and modifying directory services running over TCP/IP. An LDAP directory tree typically reflects political, geographic, or organizational boundaries. LDAP deployments typically use Domain Name System (DNS) names for structuring the highest levels of the hierarchy. LDAP entries can represent many different types of objects including people, organizational units, printers, documents, or groups of people.
- Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
- SPNEGO is used when a client application attempts to authenticate to a remote server, but the authentication protocols supported by the remote server are unknown. SNPEGO is a standard GSS-API pseudo-mechanism. The pseudo-mechanism uses a protocol to determine which common GSS-API mechanisms are available, then SPNEGO selects one GSS-API mechanism to use for all future security operations.
- Trust Association Interceptor (TAI)
- The TAI is a mechanism that establishes a secure connection between WebSphere and other application software.
- Record Kerberos applications with Internet Explorer
You must configure browser before you attempt to record Kerberos applications.- Record Kerberos applications with Mozilla Firefox
You must configure browser before recording Kerberos applications.- Generate tests that use Kerberos
You must supply Kerberos user name and password when generating tests that use Kerberos.
Related tasks
Change the problem determination level during a run