Error 401 Unauthorized - using NTLM

[RenanPFerreira]

I'm trying to reach my company's website using Cypress. The page requires a login through a prompt (HTTP Authenticator) but even using the NTLM settings I still get a 401 Unauthorized error.

I've already tried to perform the step-step of other issues that opened with the same problem, but without success.

Opening a DEBUG I found an error but I couldn't identify what it is cypress-ntlm-auth: Certificate validation failed for "url-im-trying-access". ERR_TLS_CERT_ALTNAME_INVALID

The code below showing how I am passing the cy.ntlm and how I am visiting the site.

cy.ntlm(["https://link-im-trying.reach.com.br"], Cypress.env("E2E_USER"), Cypress.env("E2E_PASSWORD"), Cypress.env("E2E_DOMAIN") ); cy.visit('https://link-im-trying.reach.com.br/reports/browse')

[bjowes]

Hi @RenanPFerreira, The Certificate validation message is just a warning, it will not break the authentication. Please skip the protocol part of the URL in your call to cy.ntlm, like this: cy.ntlm(["link-im-trying.reach.com.br"], ... You should be able to see an error message from the cy.ntlm call when calling it with the protocol part.

[RenanPFerreira]

Hi @bjowes thanks for answer me! I'm trying without https part but cames same error 401 Unauthorized

[bjowes]

Please verify that the target site requires windows authentication (there are other forms of authentication that would trigger a login prompt) and that it allows NTLM. Since you’ve already tried the debug log, do that again. If NTLM is supported you should see lines like “starting NTLM handshake”

fre 14 apr. 2023 kl. 22:55 skrev Renan Ferreira @.***>:

Hi @bjowes https://github.com/bjowes thanks for answer me! I'm trying without https part but cames same error 401 Unauthorized [image: image] https://user-images.githubusercontent.com/31439911/232152901-7bfd3ce4-ff06-449a-ad26-f8d68553076d.png

— Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/231#issuecomment-1509250588, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3GN3OSJOANKKRUQK2DXBG2URANCNFSM6AAAAAAW63RITA . You are receiving this because you were mentioned.Message ID: @.***>

-- /Björn W

Skickat från min iPhone

[RenanPFerreira]

Hi @bjowes !

How is the correct method to find authentication of a site? I don't understand too much of network policies. I inspect by F12 in Chrome when send the login and password. I think it's "oAuth" the method, is this correct?

[bjowes]

Correct. OAuth is an authentication protocol which isn’t supported by this plugin. The plug-in only supports NTLM and Negotiate (Kerberos).

Unfortunately the way to sign in with oauth depends on the identity provider and which oauth flows are configured for the site. Start out by trying to find the above info, then Google it combined with cypress. Good luck!

lör 15 apr. 2023 kl. 17:33 skrev Renan Ferreira @.***>:

Hi @bjowes https://github.com/bjowes !

How is the correct method to find authentication of a site? I don't understand too much of network policies. I inspect by F12 in Chrome when send the login and password. I think it's "oAuth" the method, is this correct?

[image: image] https://user-images.githubusercontent.com/31439911/232234358-e8f37924-a070-4fab-81d0-0b942ffb29bd.png

— Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/231#issuecomment-1509872691, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3GS6KEL3ZTEPE6DVC3XBK5UBANCNFSM6AAAAAAW63RITA . You are receiving this because you were mentioned.Message ID: @.***>

-- /Björn W

Skickat från min iPhone

[RenanPFerreira]

Correct. OAuth is an authentication protocol which isn’t supported by this plugin. The plug-in only supports NTLM and Negotiate (Kerberos).

Unfortunately the way to sign in with oauth depends on the identity provider and which oauth flows are configured for the site. Start out by trying to find the above info, then Google it combined with cypress. Good luck!

lör 15 apr. 2023 kl. 17:33 skrev Renan Ferreira @.***>:

Hi @bjowes https://github.com/bjowes !

How is the correct method to find authentication of a site? I don't understand too much of network policies. I inspect by F12 in Chrome when send the login and password. I think it's "oAuth" the method, is this correct?

[image: image] https://user-images.githubusercontent.com/31439911/232234358-e8f37924-a070-4fab-81d0-0b942ffb29bd.png

— Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/231#issuecomment-1509872691, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3GS6KEL3ZTEPE6DVC3XBK5UBANCNFSM6AAAAAAW63RITA . You are receiving this because you were mentioned.Message ID: @.***>

-- /Björn W

Skickat från min iPhone

Understood! Thanks for the feedback and the tips, now I have a way to find this!

Thanks

[RenanPFerreira]

Hi @bjowes Just a information, when i try send a cy.request in the URL, cypress return a NTLM authentication, there's any chance the site use this method?

[bjowes]

Well, then it seems your target site uses NTLM after all. Possibly the oauth library is used to communicate with other services.

Then I repeat my previous request, take another look at the debug logs and check if you find any information about the NTLM handshake

lör 15 apr. 2023 kl. 23:51 skrev Renan Ferreira @.***>:

Hi @bjowes https://github.com/bjowes Just a information, when i try send a cy.request in the URL, cypress return a NTLM authentication, there's any chance the site use this method? [image: image] https://user-images.githubusercontent.com/31439911/232254636-69540a73-eec4-41c7-9ee9-2111d37d61aa.png

— Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/231#issuecomment-1509985210, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3BGWX6FTYG3XE3O5F3XBMJ6XANCNFSM6AAAAAAW63RITA . You are receiving this because you were mentioned.Message ID: @.***>

-- /Björn W

Skickat från min iPhone

[RenanPFerreira]

Hi @bjowes In the log of execution don't have any NTLM Handshake info. There's another way to see the log/debug info?

[bjowes]

Please see https://github.com/bjowes/cypress-ntlm-auth#debugging

[RenanPFerreira]

Yes, before execute my test I setup a debug in cypress plugin ntlm.. But did'nt see any handshake in NTLM

[bjowes]

You are running cypress from bash, not from windows cmd. Please do: DEBUG=cypress:plugin:ntlm-auth npx cypress-ntlm open

[RenanPFerreira]

That's right, running on CMD i got a lot of log, I believe now have a info about handshake in this image. The credentials are correct, i can login in manually in this site. I think it's important to say, it's a corporate link, acessed remote in company's desktop/internet.

[bjowes]

Great, from the logs it is clear that the plug-in attempts the NTLM handshake. Couple of things to try:

• is the domain required when logging in manually? Otherwise try without it, it is generally not needed.
• ensure that the username is only username, not prefixed with domain like DOMAIN\user
• try using cy.ntlmSso and run cypress as the user you are trying to login with. The sso version supports a more complete feature set for authentication so that might help. It’s not possible to change user with sso but would be interesting just to verify

mån 17 apr. 2023 kl. 15:48 skrev Renan Ferreira @.***>:

That's right, running on CMD i got a lot of log, I believe now have a info about handshake in this image. The credentials are correct, i can login in manually in this site. I think it's important to say, it's a corporate link, acessed remote in company's desktop/internet. [image: image] https://user-images.githubusercontent.com/31439911/232502863-c6f7069c-531f-4f56-a9b6-ebd15ebcd400.png

— Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/231#issuecomment-1511386799, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3A6OUHPUYZEBLJSV73XBVCZFANCNFSM6AAAAAAW63RITA . You are receiving this because you were mentioned.Message ID: @.***>

-- /Björn W

Skickat från min iPhone

[RenanPFerreira]

Hi @bjowes answering your questions.

• is the domain required when logging in manually? Otherwise try without it, it is generally not needed. Domain isn't required, the access are made only with credentials in prompt. Example: username: u.ser password: p@ss4w0rD#

• ensure that the username is only username, not prefixed with domain like DOMAIN\user Checked, are only username.

•try using cy.ntlmSso and run cypress as the user you are trying to login with. The sso version supports a more complete feature set for authentication so that might help. It’s not possible to change user with sso but would be interesting just to verify

You mean, do this code? cy.ntlmSso('link')

[bjowes]

Thanks for clarifying

ons 19 apr. 2023 kl. 13:54 skrev Renan Ferreira @.***>:

Hi @bjowes https://github.com/bjowes answering your questions.

• is the domain required when logging in manually? Otherwise try without it, it is generally not needed. Domain isn't required, the access are made only with credentials in prompt. Example: username: u.ser password: @.***#

• ensure that the username is only username, not prefixed with domain like DOMAIN\user Checked, are only username.

•try using cy.ntlmSso and run cypress as the user you are trying to login with. The sso version supports a more complete feature set for authentication so that might help. It’s not possible to change user with sso but would be interesting just to verify

You mean, do this code? cy.ntlmSso('link')

Yes, where link should be like ['the.site.com']

—

Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/231#issuecomment-1514598828, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3FCWNNCNP4CWC3MH2LXB7G6FANCNFSM6AAAAAAW63RITA . You are receiving this because you were mentioned.Message ID: @.***>

-- /Björn W

Skickat från min iPhone

[sjbarbosa]

@RenanPFerreira are you able to resolve your issue here?

[RenanPFerreira]

Hi @sjbarbosa!

I can't test the last recommendation of @bjowes yet. Today I will try and answer here the results.

[RenanPFerreira]

@bjowes If i try cy.ntlmSso dont give any error but dont access the website, if i try this code and cy.visit ('link') too, i stuck in 401 Unauthorized.

Only with cy.ntlmSso With cy.ntlmSso + cy.visit

[bjowes]

cy.ntlm overrides cy.ntlmSso when both are used to setup the same target site. Remove cy.ntlm and try again.

Could you also state how the site you are accessing is hosted? Is it on IIS or on something else? Which versions of Windows, Node and Cypress are you using?

Additional things to verify:

• You can double-check the username, password and domain info by passing them to cy.log, like cy.log(Cypress.env("E2E_USER")). In case there are certain special characters in the password (backslash or quotes) they may need escaping, so logging it like this should tell you if the string you pass to cy.ntlm is what you expect
• Set DEBUG_NTLM_HEADERS=1 as environment variable before running the test (with cy.ntlm). This will provide additional logs for the actual authentication headers sent. I'm most interested in the response from the server (NTLM message type 2). If you are concerned about sharing them here let me know and we will find another channel. But in general the type 2 header is not sensitive since it does not contain any credentials.

[RenanPFerreira]

Hi @bjowes, I will send here the log with NTLM_HEADERS=2, after you check i will remove the file. Answering the questions.

The site are a third service hosted in my company's domain i think... are reacheble only in my VPN. The cypress, are located in this internal machine, if i try access in this PC on browser are ok.

Example. https://portal-bi-dock.cooperbankbr.com.br (portal-bi-dock are the third company) (cooperbank are the company where is my work)

Cypress version: v12.9.0 Node version: v14.18.1 Windows: 11

Log File: (Hit an emoji after you download please)

[bjowes]

Sorry, you need to set DEBUG_NTLM_HEADERS=1 which logs all the headers. If you want to truncate I am only interested in the logs for header message type 2.

[bjowes]

Sorry I wasn't totally clear. You need to activate the debug logs just as before, AND set the DEBUG_NTLM_HEADERS variable too.

[RenanPFerreira]

I need to do this commands below and run the code right? I checked the credencials in cy.log and it's alright the password have special characters but dont have backslash or quotes.

set DEBUG_NTLM_HEADERS=1 set DEBUG=cypress:plugin:ntlm-auth npx cypress-ntlm open

[RenanPFerreira]

Updated log @bjowes

[bjowes]

Thanks for the logs. The windows domain reported by the target site is different from the domain you are supplying in the config to cy.ntlm. This might still be correct, given that a trust relationship exists between the domains. But it might also be the cause for the issue. Try removing the domain part of the cy.ntlm call, and the plugin will use the target site domain automatically. This is the same behaviour as a browser would use if you enter just a username without domain part in the authentication popup.

So try doing

cy.ntlm(["link-im-trying.reach.com.br"], Cypress.env("E2E_USER"), Cypress.env("E2E_PASSWORD"));

and remove cy.ntlmSso

[RenanPFerreira]

I'm try this code above, but still give 401 Unauthorized. The log are this, looking seems preety much the same old log. VsCode:

Log FILE: cypress_log_novo.txt

[bjowes]

Spent some time looking at the logs and decoding the headers but I can't see anything wrong with them. I believe the issue must somehow be related to that the authentication is performed cross-domain (your machine is in one domain while the site and user is in another). But the plugin has worked fine for such scenarios in the past.

Would be awesome if you could capture the headers when logging in through the web browser, then I could compare. But I don't know of any easy way to do this - Chrome hides the authentication headers in the developer tools.

Could you check if "extended protection" or "channel binding" is required for the target site? This is a configuration in the web server that adds additional security for HTTPS sites. Currently that feature is not implemented in the plugins NTLM, so if that is required by the target site then that may be the reason why it fails.

cy.ntlmSso does support "extended protection", which is why I asked you to try it out before. cy.ntlmSso will login with the user currently signed in to windows, it probably won't work for you since you are trying to login with a user from another domain.

[Anonymous6666666666]

Hi, i'm getting the same error "401 Unauthorized" trying to reach my company's website which requires windows authentication. Point is that the same cypress project runs on my colleague's PC with same configurations and accesses. Could you please look up debug logs. logs.txt

[bjowes]

@Anonymous6666666666 Please open another issue if you need more support, it is not related to this one. Some brief reflections from reading the logs: There is only one NTML authentication occurring, and it succeeds. So from an authentication perspective it seems fine. What appears frequently in the logs is warnings about invalid certificates. As long as you are running the plugin with default settings, these are only warnings and should not block your tests. The most likely reason for these warnings is that your computer is behind a corporate proxy that replaces all the certificates (since it inspects the HTTPS traffic), and Node need to be configured to accept the certificate from the proxy. Look for more info on this is the readme of this repo. Most likely your colleague has already done this or is bypassing the corporate proxy.

[TK29165]

Hello! I am getting the same error.

Our website uses Angular in frontend and windows authentication. After we upgraded our servers to Windows 2022 from Windows 2012 and IIS from 8.5 to 10.0 cypress tests suddenly started getting "401 Unauthorized" on all authenticated requests.

I tried steps suggested above and the tests run fine on my local machine when I use ntlmSso function. Unfortunately we run our tests in docker and use a specific E2E user so that is not a viable solution.

cypress_logs_1.txt

[bjowes]

Well @TK29165 , that might be related to this issue. Could you please compare the IIS settings before and after? The most interesting part is if there are any changes within the Windows Authentication block - I suspect that "enhanced protection" has been enabled on your upgraded site.

[TK29165]

Ok, we figured out that it was a misconfiguration on our part. Everythng started working after we fixed it. Thank you :)

[CT4nk3r]

This is happening to me as well.

I have a Blazor Application that is trying to use the authentication of an Active Directory I get this error when I try to connect to the site: trying to connect to the site I can just give it a username and password: Logging in manually is working perfectly:

Here is the code for the ntlm authentication:

describe('ntlm authentication', ()=>{
  it('should be on the homepage', () => {
    cy.ntlm(['x.x.x.224'], 'Administrator', 'Test1234')

    cy.visit('http://x.x.x.224:5000')
  });
})

Here is the repo of the WebService I am trying to see how this authentication works: https://github.com/akovac35/TestingBlazor

Also here are my logs:

GET /__cypress/iframes/cypress%5Ce2e%5CPM4W_Blazor%5Cui_test.cy.ts?browserFamily=chromium 200 1.656 ms - -
GET /__cypress/tests?p=cypress%5Csupport%5Ce2e.ts 200 1.871 ms - -
GET /__cypress/tests?p=cypress%5Ce2e%5CPM4W_Blazor%5Cui_test.cy.ts 200 4.398 ms - -
  cypress:plugin:ntlm-auth getTargetHost - host header  x.x.x.x:59747 +13s
  cypress:plugin:ntlm-auth Created agent for client x.x.x.x:51605 to target http://x.x.x.x:59747/ +1ms
  cypress:plugin:ntlm-auth Request to config API +0ms
  cypress:plugin:ntlm-auth Created untracked agent for target http://x.x.x.x:59747/ +0ms
  cypress:plugin:ntlm-auth Received valid NTLM config update +2ms
  cypress:plugin:ntlm-auth Added new hosts [ 'x.x.x.5:5000' ] +1ms
  cypress:plugin:ntlm-auth getTargetHost - host header  x.x.x.x:59747 +1ms
  cypress:plugin:ntlm-auth getTargetHost - host header  x.x.x.5:5000 +8ms
  cypress:plugin:ntlm-auth Request to http://x.x.x.5:5000/ in registered NTLM Hosts +0ms
  cypress:plugin:ntlm-auth getTargetHost - host header  x.x.x.5:5000 +4ms
  cypress:plugin:ntlm-auth Tunnel to unitedstates.smartscreen.microsoft.com:443 +388ms
  cypress:plugin:ntlm-auth Tunnel to unitedstates.smartscreen.microsoft.com:443 +5ms
  cypress:plugin:ntlm-auth client closed tunnel socket to  unitedstates.smartscreen.microsoft.com:443 +701ms
  cypress:plugin:ntlm-auth server closed tunnel socket to  unitedstates.smartscreen.microsoft.com:443 +1ms
  cypress:plugin:ntlm-auth server closed tunnel socket to  unitedstates.smartscreen.microsoft.com:443 +1ms      
POST /api/browser/edge/navigate/3 200 1215.241 ms - -
  cypress:plugin:ntlm-auth client closed tunnel socket to  unitedstates.smartscreen.microsoft.com:443 +131ms
  cypress:plugin:ntlm-auth server closed tunnel socket to  unitedstates.smartscreen.microsoft.com:443 +0ms
  cypress:plugin:ntlm-auth server closed tunnel socket to  unitedstates.smartscreen.microsoft.com:443 +1ms      
POST /api/browser/edge/navigate/3 200 1357.594 ms - -
  cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:51605 due to socket.close +4s

[bjowes]

@CT4nk3r - Sorry, didn't catch this properly when you posted. If this is still an issue, please open a new ticket.