Need help with StresStimulus? Start here.

Windows Integrated authentication over SSL Messages in this topic - RSS

Vadim @StresStimulus
Vadim @StresStimulus
Posts: 583

Vadim @StresStimulus
Vadim @StresStimulus
Posts: 583
If a web application is configured to use Windows Integrated authentication, and also SSL is enable, you will have issues with recording a test case, because the authentication will fail. After entering credentials, browser will keep returning the authentication window. This behavior will also take place without using StresStimulus recorder or even without StresStimulus installed.

The issue is caused by using a man-in-the-middle approach for decrypting HTTPS traffic in Fiddler, when combined with NTLM or Kerberos authentication, as described in this article by Eric Lawrence

Eric recommends the following solution:

To configure Fiddler to authenticate on your behalf, click Rules > Customize Rules. Scroll to the OnPeekAtResponseHeadersfunction and add the following code:
static function OnPeekAtResponseHeaders(oSession: Session)
// To avoid problems with Channel-Binding-Tokens, this block allows Fiddler
// itself to respond to Authentication challenges from HTTPS Intranet sites.
if (oSession.isHTTPS &&
(oSession.responseCode == 401) &&
// Only permit auto-auth for local apps (e.g. not devices or remote PCs)
(oSession.LocalProcessID > 0) &&
// Only permit auth to sites we trust
// To use creds other than your Windows login credentials,
// set X-AutoAuth to "domain\\username:password"
oSession["X-AutoAuth"] = "(default)";
oSession["ui-backcolor"] = "pink";

//... function continues
You will probably want to adjust the two values marked in green. The first controls what servers Fiddler is willing to release credentials to—by default, I allow Fiddler to send credentials to any “plain” hostname that does not contain a dot (Intranet sites) and I also allow any site ending in, because some of our CBT-protected servers have hostnames that contain dots. The second value controls what credentials Fiddler will attempt to use. If you specify explicit credentials in domain\\username:password format (note the double-backslash required by JavaScript), Fiddler will attempt to use those credentials. If you instead specify (default), Fiddler will attempt to use the login credentials of whatever user-account that it is running under. Since I run Fiddler in my own account, I use “(default)”.

After you make these changes and save the file, Fiddler will begin to authenticate on your behalf to the servers' you’ve selected. The final line in the script sets the background color of automatically authenticated responses to pink so that they’re easily visible in your session list.
0 link

Copyright © 2024 Stimulus Technology