Default Blank Page after logging in using NTLM

[sjbarbosa]

My company uses a windows authentication for their login.

I tried to follow the setup: https://github.com/bjowes/cypress-ntlm-auth/issues

This is the log.

My code on how I visit the website. cy.ntlm(["url wo protocol"],username, password);

Result:

Inquiry:

1. Why is it blank page?
2. Trying cy.visit after cy.ntlm, it's giving me 401 error. What's the best approach or workaround for pop ups?

[sjbarbosa]

Additional comment: Even my username and password is wrong. The ntlm is still passing.

[bjowes]

Hi @sjbarbosa The cy.ntlm call does not login, it configures the plugin for future login attempts. Hence you need to call cy.visit to start the test. As for why you still get the 401, it is not unlikely that your target site uses resources from additional sites (like an api server and others). You need to include the hostname for all sites used by your target site (like so cy.ntlm(['siteA.com', 'siteA.api.com'], ... ). If you don't know which to include, have a look at the developer tools in your browser. Some sites require authentication, others don't (like the google fonts site). You can use developer tools inside cypress to see which site returned the 401.

[sjbarbosa]

@bjowes

Apologies for the late reply. I'm not that technical but as I've checked the developer tools under Network.

I've updated my code to this but still getting 401. cy.ntlm(['my.url.com', 'localhost:51983'], username, password) cy.visit('https://my.url.com/', {failOnStatusCode: false})

Doing it manually, works.

[bjowes]

Hmm, the URLs in your devtools seems to be cypress internal resources. You need to catch traffic to the actual site.

If you go to the site manually with your browser (no cypress) do you get a login prompt or are you logged in automatically? If you get a login prompt, click cancel or enter invalid password. Do this with developer tools enabled and you should see the actual URL(s) that give you 401

lör 22 apr. 2023 kl. 15:55 skrev Niel @.***>:

Apologies for the late reply. I'm not that technical but as I've checked the developer tools under Network. [image: image] https://user-images.githubusercontent.com/66127767/233788907-28c595f1-1590-4fe5-954d-bcff4252812c.png

I've updated my code to this but still getting 401. cy.ntlm([*.url.com, 'localhost:51983'], username, password) cy.visit(`https://url.com)

— Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/232#issuecomment-1518665902, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3DU74GQBHXRXWOKIP3XCPPONANCNFSM6AAAAAAXFMJWT4 . You are receiving this because you commented.Message ID: @.***>

-- /Björn W

Skickat från min iPhone

[sjbarbosa]

@bjowes

When I go to the site manually without cypress, I'm getting a login prompt from windows security. After getting a login prompt, I clicked cancel and or entered invalid password, I'm getting the same url from the previous screenshot.

I'm out of ideas for this one. Since I already added my company's url in cy.ntlm(['my.url.com', 'localhost:51983'], username, password)

[bjowes]

Ok, then it seems the site is correct. You don’t need that localhost part in the cy.ntlm call, that was an internal cypress url.

To get further in the troubleshooting I would need to see debug logs. Please see the readme on how to enable them

lör 22 apr. 2023 kl. 19:41 skrev Niel @.***>:

When I go to the site manually without cypress, I'm getting a login prompt from windows security. After getting a login prompt, I clicked cancel and or entered invalid password, I'm getting the same url from the previous screenshot. [image: image] https://user-images.githubusercontent.com/66127767/233798874-f5910d95-6dcd-47ca-9abb-8b56f6fdfe02.png

I'm out of ideas for this one. Since I already added my company's url in cy.ntlm(['my.url.com', 'localhost:51983'], username, password)

— Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/232#issuecomment-1518714691, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3AYC2OB5KBZTGIEAITXCQJ4ZANCNFSM6AAAAAAXFMJWT4 . You are receiving this because you were mentioned.Message ID: @.***>

-- /Björn W

Skickat från min iPhone

[bjowes]

Also, in the previous test without cypress, could you repeat it and scroll down to the response header www-authorize. It will list the allowed authentication protocols. Ensure that it includes NTLM

lör 22 apr. 2023 kl. 19:41 skrev Niel @.***>:

When I go to the site manually without cypress, I'm getting a login prompt from windows security. After getting a login prompt, I clicked cancel and or entered invalid password, I'm getting the same url from the previous screenshot. [image: image] https://user-images.githubusercontent.com/66127767/233798874-f5910d95-6dcd-47ca-9abb-8b56f6fdfe02.png

I'm out of ideas for this one. Since I already added my company's url in cy.ntlm(['my.url.com', 'localhost:51983'], username, password)

— Reply to this email directly, view it on GitHub https://github.com/bjowes/cypress-ntlm-auth/issues/232#issuecomment-1518714691, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCHR3AYC2OB5KBZTGIEAITXCQJ4ZANCNFSM6AAAAAAXFMJWT4 . You are receiving this because you were mentioned.Message ID: @.***>

-- /Björn W

Skickat från min iPhone

[sjbarbosa]

Also, in the previous test without cypress, could you repeat it and scroll down to the response header www-authorize. It will list the allowed authentication protocols. Ensure that it includes NTLM

NTLM is in the www-authorize.

[sjbarbosa]

Ok, then it seems the site is correct. You don’t need that localhost part in the cy.ntlm call, that was an internal cypress url. To get further in the troubleshooting I would need to see debug logs. Please see the readme on how to enable them

Do you need more of the logs?

[sjbarbosa]

@bjowes is this related to this issue, where NTLM is unable to complete authentication when two www-authenticate headers exist https://github.com/postmanlabs/postman-app-support/issues/4355

[bjowes]

I don't think that is related, it is normal that we get two www-authenticate - one for NTLM and one for Negotiate. This is the default when IIS is setup for Windows Authentication. At this stage, the issue seems the same as #231 - setup wise it seems ok but the authentication still fails. Could you try using cy.nlmSso(['your-site-here']) instead of cy.ntlm? This will only work if the user you are signed into Windows with has access to the target site. But it does provide both Negotiate support and a more complete NTLM implementation.

[sjbarbosa]

At this stage, the issue seems the same as #231 - setup wise it seems ok but the authentication still fails. Could you try using cy.nlmSso(['your-site-here']) instead of cy.ntlm? This will only work if the user you are signed into Windows with has access to the target site. But it does provide both Negotiate support and a more complete NTLM implementation.

Oh yeah, we have the same issue or more config to do, I think.

@bjowes I tried using the ntlmSso but still its giving a 401 error, this is the exact code. cy.ntlmSso(['www.myurl.com', 'myurl.com']); cy.visit('https://myurl.com', {failOnStatusCode: false});

[bjowes]

From the logs it seems that SSO is not used in the handshake. It should say "Request to ... in registered NTLM Hosts (using SSO)". Maybe you still have the cy.ntlm call in the code, or in a preceeding test case? cy.ntlm will override cy.ntlmSso since it can be used to set different users for different sites. Try again without calling cy.ntlm first, or add a cy.ntlmReset call just before the cy.ntlmSso call.

[sjbarbosa]

Hi @bjowes,

I deleted the cy.ntlm (commented not sure why its being detected as active). Here's my log without the cy.ntlm

cy.ntlmReset(); cy.ntlmSso(['myurl.com']); cy.visit('https://myurl.com', {failOnStatusCode: false});

[bjowes]

Well, interesting. The error message could mean that your computer cannot access the AD used to authenticate. Is your computer connected to the same windows domain as your target site?

Could you also state how the site you are accessing is hosted? Is it on IIS or on something else? Which versions of Windows, Node and Cypress are you using?

Additional things to verify:

• You can double-check the username, password and domain info by passing them to cy.log, like cy.log(username). In case there are certain special characters in the password (backslash or quotes) they may need escaping, so logging it like this should tell you if the strings you pass to cy.ntlm are what you expect
• Set DEBUG_NTLM_HEADERS=1 as environment variable before running the test (with cy.ntlm). This will provide additional logs for the actual authentication headers sent. I'm most interested in the response from the server (NTLM message type 2). If you are concerned about sharing them here let me know and we will find another channel. But in general the type 2 header is not sensitive since it does not contain any credentials.

[sjbarbosa]

Well, interesting. The error message could mean that your computer cannot access the AD used to authenticate. Is your computer connected to the same windows domain as your target site?

The site requires VPN to connect. So, I'm connected to a VPN.

[sjbarbosa]

Could you also state how the site you are accessing is hosted? Is it on IIS or on something else? Which versions of Windows, Node and Cypress are you using?

The site is hosted in Azure DevOps. I'm using Windows 11 Node version is v18.15.0. Cypress version is v12.10.0

[sjbarbosa]

Additional things to verify:

• You can double-check the username, password and domain info by passing them to cy.log, like cy.log(username). In case there are certain special characters in the password (backslash or quotes) they may need escaping, so logging it like this should tell you if the strings you pass to cy.ntlm are what you expect

Yes, I'm doing double check using cy.log for username and password. I have email address for username then the password.

[sjbarbosa]

• Set DEBUG_NTLM_HEADERS=1 as environment variable before running the test (with cy.ntlm). This will provide additional logs for the actual authentication headers sent. I'm most interested in the response from the server (NTLM message type 2). If you are concerned about sharing them here let me know and we will find another channel. But in general the type 2 header is not sensitive since it does not contain any credentials.

From cmd, I entered "Set DEBUG_NTLM_HEADERS=1" then "npx cypress-ntlm open". Ran the test and got this from logs.

We can find another channel if it can speed up the debugging. @bjowes

It has the same log with Set DEBUG_NTLM_HEADERS=2

[bjowes]

Sorry I wasn't totally clear. You need to activate the debug logs just as before, AND set the DEBUG_NTLM_HEADERS variable too.

[bjowes]

Thanks for the logs. It seems that the username you are supplying is a UPN, meaning it has the form user.name@domain.com. NTLM does not support this format. Please supply only the first part as the username (user.name in my example).

[sjbarbosa]

@bjowes !!! It worked! THANK YOU!

[sjbarbosa]

Just a misconfig on my end.

cy.ntlm(['my.url.com'], user.name, password) cy.visit('https://my.url.com/', {failOnStatusCode: false})