Kerberos overview

You can run HTTP tests against servers that use the Kerberos protocol for authentication.

Introduction

Kerberos is a security authentication protocol that requires users and services to provide proof of identity.

Note: Kerberos is supported only for HTTP tests on Test Performance.

Supported environments

Kerberos is supported on HTTP for web servers running Internet Information Server (IIS) or WebSphere® with the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI). Additionally, the Key Distribution Center (KDC) must be part of the Windows Domain Controller Active Directory. Internet Explorer, Mozilla Firefox, Opera, Apple Safari, and Google Chrome browsers are supported for recording tests. Kerberos is not supported on other protocols, environments, or browsers. For example, a KDC running on Linux is not supported.

Tips

For best results when you record tests that use Kerberos authentication, specify the host by name, not by numeric IP address. Also, note that user information is case-sensitive. Specify user information using the exact logon name from the user account in Active Directory. The User logon name field in the properties for the user in Active Directory displays the correct user name in the correct case. To the right of the user name the realm or domain name is displayed in the correct case. For example:

  • User ID: kerberostester
  • Password: secret
  • Realm: ABC.IBM.COM

User logon names of the form ABC\kerberostester are not supported.

Troubleshooting

Kerberos authentication is a complex process. If you encounter problems when you attempt to record and play back tests that use Kerberos authentication, change the problem determination log level toAll and run the tests again with only one virtual user. To learn more about the problem determination log, see the help topic on changing the problem determination level. After running a test, the CommonBaseEvents00.log file on the agent computer contains information that can help you determine why Kerberos authentication failed.

Terms

Active Directory
Active Directory is an implementation of Lightweight Directory Access Protocol directory services created by Microsoft for use primarily in Windows environments. The main purpose of Active Directory is to provide central authentication and authorization services for Windows computers. With Active Directory, administrators can assign policies, deploy software, and apply critical updates to an organization.
Directory service
A directory service is a software application or set of applications that store and organize information about the users and resources of a computer network.
Generic Security Services Application Program Interface (GSS-API)
The GSS-API enables programs to access security services. The GSS-API alone does not provide any security. Instead, security service providers provide GSS-API implementations, typically in the form of libraries that are installed with their security software. Sensitive application messages can be wrapped, or encrypted, by the GSS-API to provide secure communication between client and server. Typical protections that GSS-API wrapping provides include confidentiality (secrecy) and integrity (authenticity). The GSS-API can also provide local authentication about the identity of a remote user or remote host.
Key Distribution Center (KDC)
The authentication server in a Kerberos environment is called the Key Distribution Center.
Lightweight Directory Access Protocol (LDAP)
LDAP is an application protocol for querying and modifying directory services running over TCP/IP. An LDAP directory tree typically reflects political, geographic, or organizational boundaries. LDAP deployments typically use Domain Name System (DNS) names for structuring the highest levels of the hierarchy. LDAP entries can represent many different types of objects including people, organizational units, printers, documents, or groups of people.
Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
SPNEGO is used when a client application attempts to authenticate to a remote server, but the authentication protocols supported by the remote server are unknown. SNPEGO is a standard GSS-API pseudo-mechanism. The pseudo-mechanism uses a protocol to determine which common GSS-API mechanisms are available, then SPNEGO selects one GSS-API mechanism to use for all future security operations.
Trust Association Interceptor (TAI)
The TAI is a mechanism that establishes a secure connection between WebSphere® and other application software.