Bug 56701 - HTTP Authorization Manager/ Kerberos Authentication: add port to SPN when server port is neither 80 nor 443
Summary: HTTP Authorization Manager/ Kerberos Authentication: add port to SPN when ser...
Alias: None
Product: JMeter
Classification: Unclassified
Component: HTTP (show other bugs)
Version: 2.11
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: JMeter issues mailing list
Keywords: PatchAvailable
Depends on:
Reported: 2014-07-07 14:51 UTC by dan.haughey
Modified: 2014-07-20 09:15 UTC (History)
2 users (show)

Patch to alter SPN generation behaviour in AuthManager.java (881 bytes, patch)
2014-07-07 14:51 UTC, dan.haughey
Details | Diff
Add an option to enable the chrome optional behavior (3.89 KB, patch)
2014-07-18 19:28 UTC, Felix Schumacher
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description dan.haughey 2014-07-07 14:51:06 UTC
Created attachment 31801 [details]
Patch to alter SPN generation behaviour in AuthManager.java

We are load testing a server using Kerberos authentication, but the server principal name is not being generated in the format that the server expects. JMeter appears to use this format:


but our server expects:


(where 12345 is the port number of the site being tested).

Chrome has a command-line switch '--enable-auth-negotiate-port' (disabled by default) that adds this port number to the SPN for sites that are on a port other than 80 or 443. (This is documented at http://dev.chromium.org/developers/design-documents/http-authentication) - using this switch allows the site to be browsed in Chrome.

Could a similar option be added to JMeter? At the moment I've hacked a solution in src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java that adds the port number on if it is a non-standard port to mimic Chrome's behaviour with the switch enabled. This obviously needs putting behind some sort of option but I haven't had time to code this properly. My diff is attached in case this is useful to anyone.
Comment 1 Philippe Mouawad 2014-07-16 14:44:16 UTC
Thanks for patch.
I commited it to trunk nearly as is without adding option as it does not seem necessary to me.
But it would be great if you could test toward your initial site and a site with regular port (80 or 443).

Version should be available in nightly build:

 Installing JMeter runtime
Download the _bin and _lib files
Unpack the archives into the same directory structure
The other archives are not needed to run JMeter. 

Philippe M.
Comment 2 Philippe Mouawad 2014-07-16 14:44:48 UTC
Date: Wed Jul 16 14:42:17 2014
New Revision: 1611028

URL: http://svn.apache.org/r1611028
Bug 56701 - HTTP Authorization Manager/ Kerberos Authentication: add port to SPN when server port is neither 80 nor 443
Bugzilla Id: 56701

Comment 3 Philippe Mouawad 2014-07-16 19:38:22 UTC
Hello Felix,
AS you are the Kerberos expert of JMeter, it would be nice to have your opinion on this issue and fix in nightly build.

Thanks for your help in advance
Comment 4 Felix Schumacher 2014-07-18 17:04:05 UTC
I don't think that it is a good idea to make a non default option, that is available in only one major browser, to be the default for jmeter.

As written in the chrome url given in an cited by Dan only chrome supports the port embedded in the spn. IE and firefox will not embed ports into the spn. As SPNEGO is essential a child of microsoft, I would opt to be compatible with IE as the default. (I have done my tests only with firefox, though)

The easiest solution would be to introduce a system property to decide which algortihm should be used. But it might be, that someone would like to test two different systems, which behave different in respect to port embedded into spn. (We could wait for that to happen :)
Comment 5 Philippe Mouawad 2014-07-18 17:08:00 UTC
Hello Felix,
Thanks for feedback.
Currently what will happen is the following:
- If port if 443 or 80 then it will not be appended.
- If port is none of the above , then :<port> will be appended.

With this behaviour , is your note still valid ? If yes I will introduce a system property.
Comment 6 Felix Schumacher 2014-07-18 17:13:43 UTC
Yes, that is exactly what I meant. Firefox and IE will produce a SPN HTTP/hostname for every given port. Chrome will do that as default. Chrome will construct a HTTP/hostname:port SPN only if you start it with --enable-auth-negotiate-port.

So I would opt for generating HTTP/hostname as default for every given port. 

If someone really wants HTTP/hostname:port for non standard ports (80 and 443) we should give him a chance by setting a system property (something like -Dorg.apache.jmeter.enable-auth-negotiate-port=true)
Comment 7 Philippe Mouawad 2014-07-18 17:19:15 UTC
Thanks a lot for feedback Felix.
You think System property is better of jmeter property ?
Feel free to contribute a patch, otherwise I should be handling this in the upcoming days.
Comment 8 Felix Schumacher 2014-07-18 19:28:55 UTC
Created attachment 31831 [details]
Add an option to enable the chrome optional behavior

Haven't tested it yet against my kerberos setup. But you can review it anyway, since the changes seems to be trivial enough.

Will add a comment, as soon as I tested it against my previous setup (using a tomcat listening on port 8080)
Comment 9 Philippe Mouawad 2014-07-18 20:07:29 UTC
Date: Fri Jul 18 20:05:59 2014
New Revision: 1611785

URL: http://svn.apache.org/r1611785
Bug 56701 - HTTP Authorization Manager/ Kerberos Authentication: add port to SPN when server port is neither 80 nor 443
Add a jmeter property to control behaviour.
By default strip port.
Bugzilla Id: 56701

Comment 10 Philippe Mouawad 2014-07-18 20:07:57 UTC
Thanks a lot Felix, I updated the name of property to relate it to kerberos.
Comment 11 Felix Schumacher 2014-07-20 09:15:40 UTC
I have tested the current trunk against my test setup, which uses HTTP/www.example.com@EXAMPLE.COM as SPN for a tomcat service which runs on port 8080. That setup works.

I have tried to change my SPN to HTTP/www.example.com:8080@EXAMPLE.COM. Generated a new ktab for tomcat, changed kerberos.spnego.strip_port to "false". And tried again. It seems to use the correct SPN, but tomcat can't authenticate that SPN with its keytab against apacheds. That might be a setup problem though.

So all in all. I think the feature will do, what the original requestor wants.