Closed RenanPFerreira closed 6 months ago
Hi @RenanPFerreira,
The Certificate validation message is just a warning, it will not break the authentication.
Please skip the protocol part of the URL in your call to cy.ntlm
, like this: cy.ntlm(["link-im-trying.reach.com.br"], ...
You should be able to see an error message from the cy.ntlm call when calling it with the protocol part.
Hi @bjowes thanks for answer me!
I'm trying without https part but cames same error 401 Unauthorized
Please verify that the target site requires windows authentication (there are other forms of authentication that would trigger a login prompt) and that it allows NTLM. Since you’ve already tried the debug log, do that again. If NTLM is supported you should see lines like “starting NTLM handshake”
fre 14 apr. 2023 kl. 22:55 skrev Renan Ferreira @.***>:
Hi @bjowes https://github.com/bjowes thanks for answer me! I'm trying without https part but cames same error 401 Unauthorized [image: image] https://user-images.githubusercontent.com/31439911/232152901-7bfd3ce4-ff06-449a-ad26-f8d68553076d.png
— Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/231#issuecomment-1509250588, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3GN3OSJOANKKRUQK2DXBG2URANCNFSM6AAAAAAW63RITA . You are receiving this because you were mentioned.Message ID: @.***>
-- /Björn W
Skickat från min iPhone
Hi @bjowes !
How is the correct method to find authentication of a site? I don't understand too much of network policies. I inspect by F12 in Chrome when send the login and password. I think it's "oAuth" the method, is this correct?
Correct. OAuth is an authentication protocol which isn’t supported by this plugin. The plug-in only supports NTLM and Negotiate (Kerberos).
Unfortunately the way to sign in with oauth depends on the identity provider and which oauth flows are configured for the site. Start out by trying to find the above info, then Google it combined with cypress. Good luck!
lör 15 apr. 2023 kl. 17:33 skrev Renan Ferreira @.***>:
Hi @bjowes https://github.com/bjowes !
How is the correct method to find authentication of a site? I don't understand too much of network policies. I inspect by F12 in Chrome when send the login and password. I think it's "oAuth" the method, is this correct?
[image: image] https://user-images.githubusercontent.com/31439911/232234358-e8f37924-a070-4fab-81d0-0b942ffb29bd.png
— Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/231#issuecomment-1509872691, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3GS6KEL3ZTEPE6DVC3XBK5UBANCNFSM6AAAAAAW63RITA . You are receiving this because you were mentioned.Message ID: @.***>
-- /Björn W
Skickat från min iPhone
Correct. OAuth is an authentication protocol which isn’t supported by this plugin. The plug-in only supports NTLM and Negotiate (Kerberos).
Unfortunately the way to sign in with oauth depends on the identity provider and which oauth flows are configured for the site. Start out by trying to find the above info, then Google it combined with cypress. Good luck!
lör 15 apr. 2023 kl. 17:33 skrev Renan Ferreira @.***>:
Hi @bjowes https://github.com/bjowes !
How is the correct method to find authentication of a site? I don't understand too much of network policies. I inspect by F12 in Chrome when send the login and password. I think it's "oAuth" the method, is this correct?
[image: image] https://user-images.githubusercontent.com/31439911/232234358-e8f37924-a070-4fab-81d0-0b942ffb29bd.png
— Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/231#issuecomment-1509872691, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3GS6KEL3ZTEPE6DVC3XBK5UBANCNFSM6AAAAAAW63RITA . You are receiving this because you were mentioned.Message ID: @.***>
-- /Björn W
Skickat från min iPhone
Understood! Thanks for the feedback and the tips, now I have a way to find this!
Thanks
Hi @bjowes
Just a information, when i try send a cy.request in the URL, cypress return a NTLM authentication, there's any chance the site use this method?
Well, then it seems your target site uses NTLM after all. Possibly the oauth library is used to communicate with other services.
Then I repeat my previous request, take another look at the debug logs and check if you find any information about the NTLM handshake
lör 15 apr. 2023 kl. 23:51 skrev Renan Ferreira @.***>:
Hi @bjowes https://github.com/bjowes Just a information, when i try send a cy.request in the URL, cypress return a NTLM authentication, there's any chance the site use this method? [image: image] https://user-images.githubusercontent.com/31439911/232254636-69540a73-eec4-41c7-9ee9-2111d37d61aa.png
— Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/231#issuecomment-1509985210, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3BGWX6FTYG3XE3O5F3XBMJ6XANCNFSM6AAAAAAW63RITA . You are receiving this because you were mentioned.Message ID: @.***>
-- /Björn W
Skickat från min iPhone
Hi @bjowes In the log of execution don't have any NTLM Handshake info. There's another way to see the log/debug info?
Yes, before execute my test I setup a debug in cypress plugin ntlm.. But did'nt see any handshake in NTLM
You are running cypress from bash, not from windows cmd. Please do:
DEBUG=cypress:plugin:ntlm-auth npx cypress-ntlm open
That's right, running on CMD i got a lot of log, I believe now have a info about handshake in this image.
The credentials are correct, i can login in manually in this site.
I think it's important to say, it's a corporate link, acessed remote in company's desktop/internet.
Great, from the logs it is clear that the plug-in attempts the NTLM handshake. Couple of things to try:
mån 17 apr. 2023 kl. 15:48 skrev Renan Ferreira @.***>:
That's right, running on CMD i got a lot of log, I believe now have a info about handshake in this image. The credentials are correct, i can login in manually in this site. I think it's important to say, it's a corporate link, acessed remote in company's desktop/internet. [image: image] https://user-images.githubusercontent.com/31439911/232502863-c6f7069c-531f-4f56-a9b6-ebd15ebcd400.png
— Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/231#issuecomment-1511386799, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3A6OUHPUYZEBLJSV73XBVCZFANCNFSM6AAAAAAW63RITA . You are receiving this because you were mentioned.Message ID: @.***>
-- /Björn W
Skickat från min iPhone
Hi @bjowes answering your questions.
• is the domain required when logging in manually? Otherwise try without it, it is generally not needed. Domain isn't required, the access are made only with credentials in prompt. Example: username: u.ser password: p@ss4w0rD#
• ensure that the username is only username, not prefixed with domain like DOMAIN\user Checked, are only username.
•try using cy.ntlmSso and run cypress as the user you are trying to login with. The sso version supports a more complete feature set for authentication so that might help. It’s not possible to change user with sso but would be interesting just to verify
You mean, do this code? cy.ntlmSso('link')
Thanks for clarifying
ons 19 apr. 2023 kl. 13:54 skrev Renan Ferreira @.***>:
Hi @bjowes https://github.com/bjowes answering your questions.
• is the domain required when logging in manually? Otherwise try without it, it is generally not needed. Domain isn't required, the access are made only with credentials in prompt. Example: username: u.ser password: @.***#
• ensure that the username is only username, not prefixed with domain like DOMAIN\user Checked, are only username.
•try using cy.ntlmSso and run cypress as the user you are trying to login with. The sso version supports a more complete feature set for authentication so that might help. It’s not possible to change user with sso but would be interesting just to verify
You mean, do this code? cy.ntlmSso('link')
Yes, where link should be like ['the.site.com']
—
Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/231#issuecomment-1514598828, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3FCWNNCNP4CWC3MH2LXB7G6FANCNFSM6AAAAAAW63RITA . You are receiving this because you were mentioned.Message ID: @.***>
-- /Björn W
Skickat från min iPhone
@RenanPFerreira are you able to resolve your issue here?
Hi @sjbarbosa!
I can't test the last recommendation of @bjowes yet. Today I will try and answer here the results.
@bjowes If i try cy.ntlmSso dont give any error but dont access the website, if i try this code and cy.visit ('link') too, i stuck in 401 Unauthorized.
Only with cy.ntlmSso
With cy.ntlmSso + cy.visit
cy.ntlm overrides cy.ntlmSso when both are used to setup the same target site. Remove cy.ntlm and try again.
Could you also state how the site you are accessing is hosted? Is it on IIS or on something else? Which versions of Windows, Node and Cypress are you using?
Additional things to verify:
cy.log(Cypress.env("E2E_USER"))
. In case there are certain special characters in the password (backslash or quotes) they may need escaping, so logging it like this should tell you if the string you pass to cy.ntlm is what you expectHi @bjowes, I will send here the log with NTLM_HEADERS=2, after you check i will remove the file. Answering the questions.
The site are a third service hosted in my company's domain i think... are reacheble only in my VPN. The cypress, are located in this internal machine, if i try access in this PC on browser are ok.
Example. https://portal-bi-dock.cooperbankbr.com.br (portal-bi-dock are the third company) (cooperbank are the company where is my work)
Cypress version: v12.9.0 Node version: v14.18.1 Windows: 11
Log File: (Hit an emoji after you download please)
Sorry, you need to set DEBUG_NTLM_HEADERS=1 which logs all the headers. If you want to truncate I am only interested in the logs for header message type 2.
Sorry I wasn't totally clear. You need to activate the debug logs just as before, AND set the DEBUG_NTLM_HEADERS variable too.
I need to do this commands below and run the code right? I checked the credencials in cy.log and it's alright the password have special characters but dont have backslash or quotes.
set DEBUG_NTLM_HEADERS=1 set DEBUG=cypress:plugin:ntlm-auth npx cypress-ntlm open
Updated log @bjowes
Thanks for the logs. The windows domain reported by the target site is different from the domain you are supplying in the config to cy.ntlm. This might still be correct, given that a trust relationship exists between the domains. But it might also be the cause for the issue. Try removing the domain part of the cy.ntlm call, and the plugin will use the target site domain automatically. This is the same behaviour as a browser would use if you enter just a username without domain part in the authentication popup.
So try doing
cy.ntlm(["link-im-trying.reach.com.br"], Cypress.env("E2E_USER"), Cypress.env("E2E_PASSWORD"));
and remove cy.ntlmSso
I'm try this code above, but still give 401 Unauthorized.
The log are this, looking seems preety much the same old log.
VsCode:
Log FILE: cypress_log_novo.txt
Spent some time looking at the logs and decoding the headers but I can't see anything wrong with them. I believe the issue must somehow be related to that the authentication is performed cross-domain (your machine is in one domain while the site and user is in another). But the plugin has worked fine for such scenarios in the past.
Would be awesome if you could capture the headers when logging in through the web browser, then I could compare. But I don't know of any easy way to do this - Chrome hides the authentication headers in the developer tools.
Could you check if "extended protection" or "channel binding" is required for the target site? This is a configuration in the web server that adds additional security for HTTPS sites. Currently that feature is not implemented in the plugins NTLM, so if that is required by the target site then that may be the reason why it fails.
cy.ntlmSso does support "extended protection", which is why I asked you to try it out before. cy.ntlmSso will login with the user currently signed in to windows, it probably won't work for you since you are trying to login with a user from another domain.
Hi, i'm getting the same error "401 Unauthorized" trying to reach my company's website which requires windows authentication. Point is that the same cypress project runs on my colleague's PC with same configurations and accesses. Could you please look up debug logs. logs.txt
@Anonymous6666666666 Please open another issue if you need more support, it is not related to this one. Some brief reflections from reading the logs: There is only one NTML authentication occurring, and it succeeds. So from an authentication perspective it seems fine. What appears frequently in the logs is warnings about invalid certificates. As long as you are running the plugin with default settings, these are only warnings and should not block your tests. The most likely reason for these warnings is that your computer is behind a corporate proxy that replaces all the certificates (since it inspects the HTTPS traffic), and Node need to be configured to accept the certificate from the proxy. Look for more info on this is the readme of this repo. Most likely your colleague has already done this or is bypassing the corporate proxy.
Hello! I am getting the same error.
Our website uses Angular in frontend and windows authentication. After we upgraded our servers to Windows 2022 from Windows 2012 and IIS from 8.5 to 10.0 cypress tests suddenly started getting "401 Unauthorized" on all authenticated requests.
I tried steps suggested above and the tests run fine on my local machine when I use ntlmSso function. Unfortunately we run our tests in docker and use a specific E2E user so that is not a viable solution.
Well @TK29165 , that might be related to this issue. Could you please compare the IIS settings before and after? The most interesting part is if there are any changes within the Windows Authentication block - I suspect that "enhanced protection" has been enabled on your upgraded site.
Ok, we figured out that it was a misconfiguration on our part. Everythng started working after we fixed it. Thank you :)
This is happening to me as well.
I have a Blazor Application that is trying to use the authentication of an Active Directory
I get this error when I try to connect to the site:
trying to connect to the site I can just give it a username and password:
Logging in manually is working perfectly:
Here is the code for the ntlm authentication:
describe('ntlm authentication', ()=>{
it('should be on the homepage', () => {
cy.ntlm(['x.x.x.224'], 'Administrator', 'Test1234')
cy.visit('http://x.x.x.224:5000')
});
})
Here is the repo of the WebService I am trying to see how this authentication works: https://github.com/akovac35/TestingBlazor
Also here are my logs:
GET /__cypress/iframes/cypress%5Ce2e%5CPM4W_Blazor%5Cui_test.cy.ts?browserFamily=chromium 200 1.656 ms - -
GET /__cypress/tests?p=cypress%5Csupport%5Ce2e.ts 200 1.871 ms - -
GET /__cypress/tests?p=cypress%5Ce2e%5CPM4W_Blazor%5Cui_test.cy.ts 200 4.398 ms - -
cypress:plugin:ntlm-auth getTargetHost - host header x.x.x.x:59747 +13s
cypress:plugin:ntlm-auth Created agent for client x.x.x.x:51605 to target http://x.x.x.x:59747/ +1ms
cypress:plugin:ntlm-auth Request to config API +0ms
cypress:plugin:ntlm-auth Created untracked agent for target http://x.x.x.x:59747/ +0ms
cypress:plugin:ntlm-auth Received valid NTLM config update +2ms
cypress:plugin:ntlm-auth Added new hosts [ 'x.x.x.5:5000' ] +1ms
cypress:plugin:ntlm-auth getTargetHost - host header x.x.x.x:59747 +1ms
cypress:plugin:ntlm-auth getTargetHost - host header x.x.x.5:5000 +8ms
cypress:plugin:ntlm-auth Request to http://x.x.x.5:5000/ in registered NTLM Hosts +0ms
cypress:plugin:ntlm-auth getTargetHost - host header x.x.x.5:5000 +4ms
cypress:plugin:ntlm-auth Tunnel to unitedstates.smartscreen.microsoft.com:443 +388ms
cypress:plugin:ntlm-auth Tunnel to unitedstates.smartscreen.microsoft.com:443 +5ms
cypress:plugin:ntlm-auth client closed tunnel socket to unitedstates.smartscreen.microsoft.com:443 +701ms
cypress:plugin:ntlm-auth server closed tunnel socket to unitedstates.smartscreen.microsoft.com:443 +1ms
cypress:plugin:ntlm-auth server closed tunnel socket to unitedstates.smartscreen.microsoft.com:443 +1ms
POST /api/browser/edge/navigate/3 200 1215.241 ms - -
cypress:plugin:ntlm-auth client closed tunnel socket to unitedstates.smartscreen.microsoft.com:443 +131ms
cypress:plugin:ntlm-auth server closed tunnel socket to unitedstates.smartscreen.microsoft.com:443 +0ms
cypress:plugin:ntlm-auth server closed tunnel socket to unitedstates.smartscreen.microsoft.com:443 +1ms
POST /api/browser/edge/navigate/3 200 1357.594 ms - -
cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:51605 due to socket.close +4s
@CT4nk3r - Sorry, didn't catch this properly when you posted. If this is still an issue, please open a new ticket.
I'm trying to reach my company's website using Cypress. The page requires a login through a prompt (HTTP Authenticator) but even using the NTLM settings I still get a 401 Unauthorized error.
I've already tried to perform the step-step of other issues that opened with the same problem, but without success.
Opening a DEBUG I found an error but I couldn't identify what it is cypress-ntlm-auth: Certificate validation failed for "url-im-trying-access". ERR_TLS_CERT_ALTNAME_INVALID
The code below showing how I am passing the cy.ntlm and how I am visiting the site.
cy.ntlm(["https://link-im-trying.reach.com.br"], Cypress.env("E2E_USER"), Cypress.env("E2E_PASSWORD"), Cypress.env("E2E_DOMAIN") ); cy.visit('https://link-im-trying.reach.com.br/reports/browse')