Handling NTLM authentication in test automation - Single Sign ON

CASE: 
There are many times situations where you have to switch between login accounts to execute a Test scenario. If the application is using SAML then it is not a problem. But what if the Application is using single sign on / NTLM authentication mechanism.

Understanding NTLM
NTLM is a suite of authentication and session security protocols used in various Microsoft network protocol implementations and supported by the NTLM Security Support Provider ("NTLMSSP"). Originally used for authentication and negotiation of secure DCE/RPC, NTLM is also used throughout Microsoft's systems as an integrated single sign-on mechanism. It is probably best recognized as part of the "Integrated Windows Authentication" stack for HTTP authentication; however, it is also used in Microsoft implementations of SMTP, POP3, IMAP (all part of Exchange), CIFS/SMB, Telnet, SIP, and possibly others.
The NTLM Security Support Provider provides authentication, integrity, and confidentiality services within the Window Security Support Provider Interface (SSPI) framework. SSPI specifies a core set of security functionality that is implemented by supporting providers; the NTLMSSP is such a provider. The SSPI specifies, and the NTLMSSP implements, the following core operations:

1. Authentication -- NTLM provides a challenge-response authentication mechanism, in which clients are able to prove their identities without sending a password to the server.
2. Signing -- The NTLMSSP provides a means of applying a digital "signature" to a message. This ensures that the signed message has not been modified (either accidentally or intentionally) and that that signing party has knowledge of a shared secret. NTLM implements a symmetric signature scheme (Message Authentication Code, or MAC); that is, a valid signature can only be generated and verified by parties that possess the common shared key.
3. Sealing -- The NTLMSSP implements a symmetric-key encryption mechanism, which provides message confidentiality. In the case of NTLM, sealing also implies signing (a signed message is not necessarily sealed, but all sealed messages are signed).

NTLM has been largely supplanted by Kerberos as the authentication protocol of choice for domain-based scenarios. However, Kerberos is a trusted-third-party scheme, and cannot be used in situations where no trusted third party exists; for example, member servers (servers that are not part of a domain), local accounts, and authentication to resources in an untrusted domain. In such scenarios, NTLM continues to be the primary authentication mechanism (and likely will be for a long time).


Solution: 

HTTP sampler settings: JAVA
now java uses the single sign on user account with which you have logged into the laptop or test server. so while test execution or capturing the calls you might need to log into as a other user. 

You can check if the application is using  NTLM Authentication or not in Firefox (F12)/ Developer 
  : Network: Headers--> Request Headers of the login page call.

so to do so follow this :

open cmd and execute:

c:\RahulAgnihotri\apache-jmeter-2.13\bin>runas /user:ICS\ex000222002212 cmd

now in the new cmd execute:

c:\RahulAgnihotri\apache-jmeter-2.13\bin>jmeter.bat
Now you can proceed as this other user. Firefox will log in as a new ex000222002212
Start Task manager : Java process will be running with new user now: ex000222002212

API testing - Images in Response, save images received in response - SW Testing

Images can be recieved in responses. these responses can be further saved into a file on hard disk.

Automate Ajax Login mechanism

For Automating Ajax Login :
1. Add Authorization manager with mechanism: BASIC_DIGEST.
2. use JAVA instead of httpclient 4 or 3.1

Executing Jmeter scripts via cmd/ batch file

TESTING IN PHASES

PHASE BASED DEVELOPMENT AND TESTING

- Creating new regression test set from previous Phase's test run.

WSO2 Identity server Test automation

This article describes and provides insights into creating Dynamic input based fully Automated test for user scenario testing for - WSO2 identity server authentication (involving authorization mechanisms like SAML2, OAUTH, JWT token)

Some common steps which can be 100% automated are as follows:

- A request for SAML2 authentication request. redirecting the user, using the returned URI, towards the Identity server.

- The returned value is an URI. It is expected from the web application to redirect the user towards the returned URI.

Re-direct based authentication using SAML2, SAML2 authentication request,JWT token verification - real time accessing of JWT token, API key.WSO2 Identity Server.

- user redirected the login-page of the Identity Server. 

- The API Engine receives the authentication response on a callback endpoint. After parsing and validation of the response. 

- API Gateway generated JWT token [complying RFC7519 and uses HMAC-256 digest and signature algorithm.] .

--  the JWT tokenis provided back to the Web application.

checking the JWT token from browser:Resources -->session Storage.

This is what you need to automate in real time each time the test executes.

JWT token can be decoded using the jwt.io for checking credentials.

Redirected command can also be retieved the same way in real time.

so each time a new jwt token is generated it is captured and pushed in with new call in the test script.

same way in callback saml response can be retieved and further channeled into calls.

How to disable internet explorer enhanced security configuration on windows 2008 R2

{if you are getting a lot of problem with pop pus from IE and you cannot install java from hard disk/ or access any site this might help}

1. Go to Control panel
2. click at Server manager
3.  In there click at IE enhance security configuration, and now set it to OFF. see screenshot below!