401 Unauthorized (Invalid Credentials)

[paulinosantos]

We have an IIS 10 server that both accepts Kerberos and NTLM. We are using thecy.ntlmSso(['devel.myapplication.com']) function and corporate certificates seem to be working fine.

I have compared my issue with the different similar threads but haven't still been able to figure out what's wrong. I am testing our development environment from my local machine. My user has access to the application and should be able to authenticate just fine. We do have an F5 Load Balancer but I am able to access the application when manually using my browser.

Below is a copy of my proxy's log:

cypress:plugin:ntlm-auth Adding localhost to NO_PROXY to disable localhost proxying +0ms cypress:plugin:ntlm-auth Adding 127.0.0.1 to NO_PROXY to disable localhost proxying +3ms cypress:plugin:ntlm-auth NTLM auth config API listening on port: 3012 +18ms cypress:plugin:ntlm-auth NTLM auth proxy listening on port: 3013 +80ms cypress:plugin:ntlm-auth wrote C:\Users\MYUSER\AppData\Roaming\cypress-ntlm-auth\cypress-ntlm-auth.port +6ms cypress:plugin:ntlm-auth Startup done! +0ms cypress:plugin:ntlm-auth { configApiUrl: 'http://127.0.0.1:3012', cypress:plugin:ntlm-auth ntlmProxyUrl: 'http://127.0.0.1:3013' } +0ms cypress:plugin:ntlm-auth Received alive +2s cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:3035 to target https://download.cypress.io:443/ +2m cypress:plugin:ntlm-auth Request to https://download.cypress.io:443/ - pass on +1ms cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:3035 due to socket.close +6s cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:3068 to target https://accounts.google.com:443/ +53s cypress:plugin:ntlm-auth Request to https://accounts.google.com:443/ - pass on +1ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:3064 to target https://clientservices.googleapis.com:443/ +3ms cypress:plugin:ntlm-auth Request to https://clientservices.googleapis.com:443/ - pass on +3ms cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:3068 due to socket.close +5s cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:3064 due to socket.close +3ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:3104 to target http://cplrpuzwsavr:80/ +23s cypress:plugin:ntlm-auth Request to http://cplrpuzwsavr:80/ - pass on +16ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:3105 to target http://ftypilfuneant:80/ +9ms cypress:plugin:ntlm-auth Request to http://ftypilfuneant:80/ - pass on +7ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:3106 to target http://vxihtvyj:80/ +2ms cypress:plugin:ntlm-auth Request to http://vxihtvyj:80/ - pass on +1ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:3112 to target http://127.0.0.1:3012/ +4s cypress:plugin:ntlm-auth Request to config API +1ms cypress:plugin:ntlm-auth Created untracked agent for target http://127.0.0.1:3012/ +0ms cypress:plugin:ntlm-auth Received valid NTLM config update +42ms cypress:plugin:ntlm-auth Added new host https://devel.myapplication.com:443/ +0ms cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:3106 due to socket.close +2s cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:3104 due to socket.close +5ms cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:3105 due to socket.close +1ms cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:3112 due to socket.close +3s cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:3118 to target https://devel.myapplication.com:443/ +15s cypress:plugin:ntlm-auth Request to https://devel.myapplication.com:443/ in registered NTLM Hosts +2ms cypress:plugin:ntlm-auth Received 401 with NTLM in www-authenticate header. Starting handshake. +724ms cypress:plugin:ntlm-auth Sending NTLM message type 1 +27ms cypress:plugin:ntlm-auth Received NTLM message type 2, using NTLMv2 +701ms cypress:plugin:ntlm-auth Sending NTLM message type 3 with initial client request +5ms cypress:plugin:ntlm-auth NTLM authentication failed (invalid credentials) with host https://devel.myapplication.com:443/ +711ms cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:3118 due to socket.close +5s

Appreciate all the help!

[bjowes]

Hi @paulinosantos - could it be that you are using both cy.ntlm and cy.ntlmSso? The logs show that the target host is configured, but not configured for SSO. If you configure the same host with both cy.ntlm and cy.ntlmSso, the cy.ntlm config will be applied when connecting to that host. Try removing calls to cy.ntlm and see if that helps.

[paulinosantos]

Hi @paulinosantos - could it be that you are using both cy.ntlm and cy.ntlmSso? The logs show that the target host is configured, but not configured for SSO. If you configure the same host with both cy.ntlm and cy.ntlmSso, the cy.ntlm config will be applied when connecting to that host. Try removing calls to cy.ntlm and see if that helps.

Thanks for the response. I've checked my tests and we are not attempting both methods. I might had copied the wrong log. Just in case, I've added cy.ntlmReset() in beforeEach() and got the same result for ntlmSso():

cypress:plugin:ntlm-auth Adding localhost to NO_PROXY to disable localhost proxying +0ms cypress:plugin:ntlm-auth Adding 127.0.0.1 to NO_PROXY to disable localhost proxying +4ms cypress:plugin:ntlm-auth Existing proxy instance found, sending shutdown +4ms cypress:plugin:ntlm-auth Quit request failed, trying to delete the ports file: Error: connect ECONNREFUSED 127.0.0.1:2499 +1s cypress:plugin:ntlm-auth Ports file deleted +3ms cypress:plugin:ntlm-auth NTLM auth config API listening on port: 11510 +14ms cypress:plugin:ntlm-auth NTLM auth proxy listening on port: 11511 +96ms cypress:plugin:ntlm-auth wrote C:\Users\MYUSER\AppData\Roaming\cypress-ntlm-auth\cypress-ntlm-auth.port +5ms cypress:plugin:ntlm-auth Startup done! +0ms cypress:plugin:ntlm-auth { configApiUrl: 'http://127.0.0.1:11510', cypress:plugin:ntlm-auth ntlmProxyUrl: 'http://127.0.0.1:11511' } +1ms cypress:plugin:ntlm-auth Received alive +575ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:11531 to target https://download.cypress.io:443/ +2m cypress:plugin:ntlm-auth Request to https://download.cypress.io:443/ - pass on +2ms cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:11531 due to socket.close +572ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:11556 to target https://clientservices.googleapis.com:443/ +35s cypress:plugin:ntlm-auth Request to https://clientservices.googleapis.com:443/ - pass on +3ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:11559 to target https://accounts.google.com:443/ +2ms cypress:plugin:ntlm-auth Request to https://accounts.google.com:443/ - pass on +1ms cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:11556 due to socket.close +5s cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:11559 due to socket.close +23ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:11592 to target http://ihvxtngcausxxio:80/ +20s cypress:plugin:ntlm-auth Request to http://ihvxtngcausxxio:80/ - pass on +9ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:11593 to target http://zuuiqiuj:80/ +4ms cypress:plugin:ntlm-auth Request to http://zuuiqiuj:80/ - pass on +1ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:11594 to target http://pezpzidevhie:80/ +3ms cypress:plugin:ntlm-auth Request to http://pezpzidevhie:80/ - pass on +2ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:11602 to target http://127.0.0.1:11510/ +4s cypress:plugin:ntlm-auth Request to config API +2ms cypress:plugin:ntlm-auth Created untracked agent for target http://127.0.0.1:11510/ +1ms cypress:plugin:ntlm-auth Received reset +49ms cypress:plugin:ntlm-auth Removed all agents due to reset +2ms cypress:plugin:ntlm-auth Removed and closed all tunnels due to reset +2ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:11602 to target http://127.0.0.1:11510/ +56ms cypress:plugin:ntlm-auth Request to config API +2ms cypress:plugin:ntlm-auth Created untracked agent for target http://127.0.0.1:11510/ +2ms cypress:plugin:ntlm-auth Received valid NTLM SSO config +5ms cypress:plugin:ntlm-auth Created agent for client 127.0.0.1:11607 to target https://devel.myapplication.com:443/ +107ms cypress:plugin:ntlm-auth Request to https://devel.myapplication.com:443/ in registered NTLM Hosts (using SSO) +3ms cypress:plugin:ntlm-auth Received 401 with Negotiate in www-authenticate header. Starting handshake. +700ms cypress:plugin:ntlm-auth Sending Negotiate message token request +19ms cypress:plugin:ntlm-auth Sending Negotiate message token response with initial client request +715ms cypress:plugin:ntlm-auth Negotiate authentication failed (invalid credentials) with host https://devel.myapplication.com:443/ +710ms cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:11602 due to socket.close +3s cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:11607 due to socket.close +2s

My test looks something like:

describe('Testing routes',() =>{

    beforeEach(()=>{
        cy.server();    
        cy.ntlmReset();
    })

    it('Check List', ()=>{      
        cy.ntlmSso(['*.myapplication.com']);
        cy.visit('https://devel.myapplication.com/#/list').wait(20000)
        cy.url().should('include', '/list');
    })

}

[bjowes]

From the log an the code it seems correct. Not clear why the authentication fails. Some thoughts:

• check the IIS site logs. Each 401 should generate two lines in that log. The second line should show the account that is trying to authenticate. Check that the account is shown here, and that it is the account you expect.
• do you have different domains for develop an prod? If so, is the account running cypress on the correct domain for access to the site?
• do try using cy.ntlm instead and see if that works better

[bjowes]

Could it be that your server uses Delegation (impersonates the client when calling another service on another server)? I've found that the SSO implementation might not support that scenario and I don't have a test environment for it so I couldn't check. Pure NTLM likely won't work either in that scenario.

[bjowes]

Closing due to lack of activity - please reopen if more support is needed