8 Replies Latest reply: Apr 26, 2013 3:13 AM by Björn Wedbratt RSS

    Connect with a specific user (NTLM)?

    Nicolas MARTIN

      Hello,

       

      I'ld like to use the Scalability Tool.

      I can't install it on my server, because I don't have enough admin rights (Java, .net framework, JMeter, ...).

       

      I've made all the setup on my computer, but when it comes to run the test, there is a problem for authentication.

      My server have a NTLM autentication. But my computer isn't in the same domain.

       

      When I'm using QlikView's "open in server", I use the "use another Windows account" where I type the login / password I want to use, and it works.

       

       

      How can I do the trick with the scalability tool?

       

       

      (I can't make any modifications on the server regarding the authentication)

        • Re: Connect with a specific user (NTLM)?
          Björn Wedbratt

          If you can't get authentication to work between domains or if your computer simply isn't a member of a domain at all (workgroup) there is a small "trick" you can use when it comes to NTLM.

          Create a local account on the server and give it proper permissions so you can logon using SERVERNAME\user in "open in server".

          Now create the exact same account on your workstation, same user and exact same password.

          Logon to your workstation with that account and you should be able to authenticate automatically against the server, using NTLM.

            • Re: Connect with a specific user (NTLM)?
              Nicolas MARTIN

              I've done what you said.

               

              When I do "open in server" on my workstation with "Use NT identity", it works: no password is asked and I see the files.

              But when I go to the access point URL or my document URL with my internet browser (Internet Explorer and Chrome), I have a popup asking me username / password.

               

              Obviously, my JMeter scenario give me the same result: nothing.

               

              "test-VERSION_not_found-0425161605.xml":

              <?xml version="1.0" encoding="UTF-8" ?>

              <testresult testname="test" QVSversion= "NoVersion" Document="Test scalability.qvw" timeStamp="2013-04-25-161605">

                        <requestedobject action="Open Document #2" id="Test scalability.qvw" inputValue="" threadIteration="1" testLoop="0">

                        </requestedobject>

              </testresult>

                • Re: Connect with a specific user (NTLM)?
                  Björn Wedbratt

                  That confirms NTLM working between the client and server, with the logged on (local) account.

                  I have not that much experience with JMeter so I leave that part to Michael and Sebastian. From what I understand of the posts below, solving the NTLM issue might not provide you with the solution you're after though.

                   

                  If you still want to dig into the NTLM part for AccessPoint and browser access, there might be some things worth looking into:

                  • make sure the URL you're trying to access is added into Local Intranet zone on IE.
                  • as you're running QVWS, make sure you didn't alter the authentication scheme in the config.xml for QVWS (%ProgramData%\QlikTech\WebServer). HttpAuthentication for Authenticate.aspx should by default be set to NTLM
                  • Check Security Settings in IE for the zone. Especially the setting for User Authentication:

                       toqc.png

              • Re: Connect with a specific user (NTLM)?
                Michael Bienstein

                Hi Nicolas,

                 

                First of all, the QV Desktop's File | Open in Server functionality is almost never used. The main use for it is to obtain a leased licence to be able to develop. The scalability tool runs in JMeter and simulates a web browser. You need to use web technologies to solve this.

                 

                Second of all, when simulating many users, it doesn't make much sense to simulate the SAME user hundreds of times. Even if you solve the authentication problem, you probably don't have lots of different usernames and passwords (you aren't hacking your AD are you?) If you use just one Windows account, you will have licence problems because one user can't have multiple sessions to the same QVW open at the same time.

                 

                So, what you need is a way to have *fictive* user accounts and be able to log in without knowing their passwords. The scalability tools allow for this. You can define a file with the list of users and fake passwords and then just use IIS for the web server and copy our fake Authentication.aspx page over to it. This page uses BASIC authentication but ignores the password. There is documentation in the tool's manual.

                 

                Hope that helps,

                 

                Michael Bienstein

                  • Re: Connect with a specific user (NTLM)?
                    Nicolas MARTIN

                    Create a local account on the server and give it proper permissions so you can logon using SERVERNAME\user in "open in server".

                    Now create the exact same account on your workstation, same user and exact same password.

                    Thank you for the tip, I'll try that.

                     

                     

                     

                    First of all, [...]. You need to use web technologies to solve this.

                     

                    I understand that with JMeter, it's possible to:

                    - change the implementation of the requests to use "HttpClient3.1" instead of Java

                    - use a "HTTP Authorisation Manager" to change the NTLM user

                    http://jmeter.apache.org/usermanual/component_reference.html#HTTP_Authorization_Manager

                     

                    I tried to modifiy the ".jmx" file generated by the Scalability Tools, but without succes (I'm just discovering JMeter, so there is --ffor me-- a lot of unknown stuff in the process).

                     

                     

                    Second of all, when simulating many users, it doesn't make much sense to simulate the SAME user hundreds of times. Even if you solve the authentication problem, you probably don't have lots of different usernames and passwords (you aren't hacking your AD are you?) If you use just one Windows account, you will have licence problems because one user can't have multiple sessions to the same QVW open at the same time.

                     

                    Two things:

                    - I'm interested in the Scalability Tool for "stress test" but also for regression test. The regression test doesn't need more than 1 user.

                     

                    - I didn't thought about the fact that I couldn't have multiple sessions for the same user / same document at the ssame time

                    Thank you for pointing me this out.

                    By the way, I don't have to hack the AD, because I am the person who sets the passwords

                     

                     

                    So, what you need is a way to have *fictive* user accounts and be able to log in without knowing their passwords. The scalability tools allow for this. You can define a file with the list of users and fake passwords and then just use IIS for the web server and copy our fake Authentication.aspx page over to it. This page uses BASIC authentication but ignores the password. There is documentation in the tool's manual.

                    I don't use IIS, but the QVWS.

                    For the basic authentication i needs "DMS authorization", I think it's only available in "enterprise server" only (I'm maybe wrong, I'll have to chack that).

                    If I could set a file with login/password for NTLM authentication, it would be wonderfull!

                      • Re: Connect with a specific user (NTLM)?
                        Michael Bienstein

                        So, it is strange that you can't install Java due to permissions issues, yet you decide everyone's passwords in the AD. It is also strange to have a Small Business Edition that needs stress testing. Can you explain what exactly you are trying to do?

                         

                        Otherwise, yes, NTLM gets used with the list of usernames/passwords in the tool - not need to hack JMeter.

                         

                        Michael

                          • Re: Connect with a specific user (NTLM)?
                            Nicolas MARTIN

                            Otherwise, yes, NTLM gets used with the list of usernames/passwords in the tool - not need to hack JMeter.

                             

                            How?

                             

                            When I set "NTML", I don't have a text box where I can give a text file with user/passwords.

                             

                             

                             

                            So, it is strange that you can't install Java due to permissions issues, yet you decide everyone's passwords in the AD. It is also strange to have a Small Business Edition that needs stress testing. Can you explain what exactly you are trying to do?

                            Setup and configuration are done by different persons.

                            I don't install anything by myself on the server, but I can manage the configuration of QlikView, Windows users and groups.

                            I don't want to "pollute" my prod server with bunch of tools and software (java, .net framework, fiddler, ...).

                            Even if I could, running the tools on the server would cost many RAM, so the performance of the QV server would be distorted.

                             

                            I have a very huge application that can be used by up to 10 users. Nowadays, this runs on a server with configuration XXX. I would like to make a comparison with another server with configuration YYY to know wich one is better.

                            I found the Scalability Tools and thought it was a good way to make scenarii and simulate the usage of my application by 1 / 2 / 5 / 10 users at the same time and make a comparison of response time, memory load on the server, etc...

                              • Re: Connect with a specific user (NTLM)?
                                Sebastian Fredenberg

                                Hi Nicolas,

                                 

                                To be able to simulate users the Scalability Tools have to adhere to the "rules" that the environment stipulate. This includes authentication, authorization and licensing.

                                 

                                  There are limitations to a SBE license:

                                •          Only NTLM authentication

                                •          Only NTFS-mode

                                •          Only Named- and Document-CALs, below a limit

                                 

                                The Scalability Tools will use the Windows (NTLM) authenticated user to access the AccessPoint. This authenticated user will be passed on to QlikView Server and used to retrieve the User Access List(UAL) via NTFS. The UAL will only contain qvw’s that the user authorized to see. Next step for the user is to obtain a license. Named- and Document-CALs does not allow for multiple concurrent session for the same authenticated user.

                                 

                                You can validate this by using Internet Explorer, on two different machines with the same authenticated user, and try to open two sessions. The second will “kill” the first. This can be observed in the Event log.

                                 

                                The enterprise-license will allow for DMS, header authentication and more so the ways you can simulate is less restricted.

                                 

                                There are a few hurdles here as I see it, but the reasons for using the tools are very valid, and it is for these purposes they have been developed.

                                 

                                With that said, you might (I have not tested it myself) be able to get some testing done by first adding the client machine to the domain. Then having access to 5, 10 etc accounts that are part of the domain as well and run one instance of the scalability tool from each account (with only one virtual user each, and those users must be able to optain a CAL). Running as different users from the machine can be achieved by using "runas" on the tools, more information about that is found here:

                                http://technet.microsoft.com/en-us/library/cc771525(v=ws.10).aspx

                                 

                                 

                                Regards

                                /Scalability center