You can run HTTP tests against
servers that use the Kerberos protocol for authentication.
Introduction
Kerberos is a security authentication
protocol that requires users and services to provide proof of identity.
Note: Kerberos
is supported only for HTTP tests on Rational® Performance Tester.
Supported environments
Kerberos is supported
on HTTP for web servers running Internet Information Server (IIS)
or WebSphere® with the
Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust
association interceptor (TAI). Additionally, the Key Distribution
Center (KDC) must be part of the Windows Domain
Controller Active Directory. Internet Explorer, Mozilla Firefox, Opera,
Apple Safari, and Google Chrome browsers are supported for recording
tests. Kerberos is not supported on other protocols, environments,
or browsers. For example, a KDC running on Linux is not supported.
Tips
For best results when you record tests
that use Kerberos authentication, specify the host by name, not by
numeric IP address. Also, note that user information is case-sensitive.
Specify user information using the exact logon name from the user
account in Active Directory. The User logon name field
in the properties for the user in Active Directory displays the correct
user name in the correct case. To the right of the user name the realm
or domain name is displayed in the correct case. For example:
- User ID: kerberostester
- Password: secret
- Realm: ABC.IBM.COM
User logon names of the form ABC\kerberostester are not supported.
Troubleshooting
Kerberos authentication
is a complex process. If you encounter problems when you attempt to
record and play back tests that use Kerberos authentication, change
the problem determination log level toAll and
run the tests again with only one virtual user. To learn more about
the problem determination log, see the help topic on changing the
problem determination level. After running a test, the CommonBaseEvents00.log file
on the agent computer contains information that can help you determine
why Kerberos authentication failed.
Terms
- Active Directory
- Active Directory is an implementation of Lightweight Directory
Access Protocol directory services created by Microsoft for use primarily in Windows environments. The main purpose of
Active Directory is to provide central authentication and authorization
services for Windows computers.
With Active Directory, administrators can assign policies, deploy
software, and apply critical updates to an organization.
- Directory service
- A directory service is a software application or set of applications
that store and organize information about the users and resources
of a computer network.
- Generic Security Services Application Program Interface (GSS-API)
- The GSS-API enables programs to access security services. The
GSS-API alone does not provide any security. Instead, security service
providers provide GSS-API implementations, typically in the form of
libraries that are installed with their security software. Sensitive
application messages can be wrapped, or encrypted, by
the GSS-API to provide secure communication between client and server.
Typical protections that GSS-API wrapping provides include confidentiality
(secrecy) and integrity (authenticity). The GSS-API can also provide
local authentication about the identity of a remote user or remote
host.
- Key Distribution Center (KDC)
- The authentication server in a Kerberos environment is called
the Key Distribution Center.
- Lightweight Directory Access Protocol (LDAP)
- LDAP is an application protocol for querying and modifying directory
services running over TCP/IP. An LDAP directory tree typically reflects
political, geographic, or organizational boundaries. LDAP deployments
typically use Domain Name System (DNS) names for structuring the highest
levels of the hierarchy. LDAP entries can represent many different
types of objects including people, organizational units, printers,
documents, or groups of people.
- Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
- SPNEGO is used when a client application attempts to authenticate
to a remote server, but the authentication protocols supported by
the remote server are unknown. SNPEGO is a standard GSS-API pseudo-mechanism.
The pseudo-mechanism uses a protocol to determine which common GSS-API
mechanisms are available, then SPNEGO selects one GSS-API mechanism
to use for all future security operations.
- Trust Association Interceptor (TAI)
- The TAI is a mechanism that establishes a secure connection between WebSphere and other application
software.