You can run HTTP tests against
servers that use the Kerberos protocol for authentication.
Introduction
Kerberos is a security authentication
protocol that requires users and services to provide proof of identity.
Note: Kerberos
is supported only for HTTP tests on Rational® Performance Tester.
Supported environments
Kerberos is supported
on HTTP for Web servers running Internet Information Server (IIS)
or WebSphere with the Simple and Protected GSS-API Negotiation Mechanism
(SPNEGO) trust association interceptor (TAI). Additionally, the Key
Distribution Center (KDC) must be part of the Windows Domain Controller
Active Directory. Internet Explorer and Mozilla Firefox browsers are
supported for recording tests. Kerberos is not supported on other
protocols, environments, or browsers. For example, a KDC running on
Linux is not supported.
Tips
For best results when you record tests
that use Kerberos authentication, specify the host by name, not by
numeric IP address. Also, note that user information is case-sensitive.
Specify user information using the exact logon name from the user
account in Active Directory. The User logon name field
in the properties for the user in Active Directory displays the correct
user name in the correct case. To the right of the user name the realm
or domain name is displayed in the correct case. For example:
- User ID: kerberostester
- Password: secret
- Realm: ABC.IBM.COM
User logon names of the form ABC\kerberostester are not supported.
Troubleshooting
Kerberos authentication
is a complex process. If you encounter problems when you attempt to
record and play back tests that use Kerberos authentication, change
the problem determination log level toAll and
run the tests again with only one virtual user. To learn more about
the problem determination log, see the help topic on changing the
problem determination level. After running a test, the CommonBaseEvents00.log file
on the agent computer contains information that can help you determine
why Kerberos authentication failed.
Terms
- Active Directory
- Active Directory is an implementation of Lightweight Directory
Access Protocol directory services created by Microsoft for use primarily
in Windows environments. The main purpose of Active Directory is to
provide central authentication and authorization services for Windows
computers. With Active Directory, administrators can assign policies,
deploy software, and apply critical updates to an organization.
- Directory service
- A directory service is a software application or set of applications
that store and organize information about the users and resources
of a computer network.
- Generic Security Services Application Program Interface (GSS-API)
- The GSS-API enables programs to access security services. The
GSS-API alone does not provide any security. Instead, security service
providers provide GSS-API implementations, typically in the form of
libraries that are installed with their security software. Sensitive
application messages can be wrapped, or encrypted, by
the GSS-API to provide secure communication between client and server.
Typical protections that GSS-API wrapping provides include confidentiality
(secrecy) and integrity (authenticity). The GSS-API can also provide
local authentication about the identity of a remote user or remote
host.
- Key Distribution Center (KDC)
- The authentication server in a Kerberos environment is called
the Key Distribution Center.
- Lightweight Directory Access Protocol (LDAP)
- LDAP is an application protocol for querying and modifying directory
services running over TCP/IP. An LDAP directory tree typically reflects
political, geographic, or organizational boundaries. LDAP deployments
typically use Domain Name System (DNS) names for structuring the highest
levels of the hierarchy. LDAP entries can represent many different
types of objects including people, organizational units, printers,
documents, or groups of people.
- Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
- SPNEGO is used when a client application attempts to authenticate
to a remote server, but the authentication protocols supported by
the remote server are unknown. SNPEGO is a standard GSS-API pseudo-mechanism.
The pseudo-mechanism uses a protocol to determine which common GSS-API
mechanisms are available, then SPNEGO selects one GSS-API mechanism
to use for all future security operations.
- Trust Association Interceptor (TAI)
- The TAI is a mechanism that establishes a secure connection between
WebSphere and other application software.