401 error when cy.visit

[danbord]

Sorry, I'm still pretty new to this. But can't get through authentication with version 1.0.7. What I have :

• A webapi service running on IIS10 Windows Authenticated and Anonymous Enabled (to get throught the CORS Preflight check)

• The address of the api is http://localhost:8080 and I have a simple sanityCheck endpoint that is not secured in my webapi.

• I use cy.ntlm('http://localhost:8080', 'myUser', 'myPassword', 'myDomain') in a beforeEach clause.

• the cy.visit('http://localhost:8080/api/v1/sanityCheck') always returns a 401 in the cypress console.

I carefully followed the installation instructions and modified both index.js files accordingly

Wondering if I'm doing something wrong

[bjowes]

Hi @danbord , The fact that you manage to execute cy.ntlm without error messages means that your installation (of cypress and the plugin) is correct. A few quick points:

• Are you running a true IIS 10, not the IIS Express bundled with Visual Studio?
• I assume directing your browser to 'http://localhost:8080/api/v1/sanityCheck' and entering your credentials works fine?
• You state that the sanityCheck endpoint is not secured by your webapi. Does this mean that it doesn't require authentication? If so, does it work if you don't call cy.ntlm?

If those didn't nugde you in the right direction to resolve it, please get debug logs from the ntlm-proxy (see the README).

[danbord]

Hello @bjowes , thanks for your quick response!

I'm using a real IIS10 running with Widnows 10. My api works well outside cypress.

Yes it works fine if I browse to 'http://localhost:8080/api/v1/sanityCheck'. I don't need to enter my credentials since its pass through. That sanityCheck endpoint is not specifically secured by a role. But the whole api requires user to be authenticated to use it.

I tried removing the cy.ntlm and its doesn't change anything.

But executing the cy.ntlm with a wrong password (by purpose) does not seems to give an error or anything.

Read through the readme file and still not sure how I can activate the debug logs.

Thanks

[bjowes]

cy.ntlm won't test your credentials - it only uses them when it processes an actual request. What I meant is that if you had missed something in the setup (like a typo in the index.js files), then cy.ntlm will complain that it can't find the ntlm-proxy.

To activate the logs, use this sequence:

1. Open two cmd prompts in the root folder of your project
2. In the first, execute set DEBUG=cypress:plugin:ntlm-auth, then execute node_modules\.bin\ntlm-proxy
3. In the second, execute node_modules\.bin\cypress-ntlm run
4. This will run through your tests once. Grab the output in the first cmd window, that is the debug logs.

I think i should clarify this process a bit in the docs...

[danbord]

Ok, I've been able to output the debug log, thanks for the clarifications.

I tried adding a binding to [removed] to avoid using localhost:8080. Again the sanityCheck works well on a standalone browser.

Here is the debug Log if it can help.

Thanks!

my\my.spec.js... (20 of 20)

my first test 1) useless test

0 passing (498ms) 1 failing

1) my first test useless test: CypressError: cy.visit() failed trying to load:

http://[removed]/api/v1/sanityCheck

The response we received from your web server was:

401: Unauthorized

This was considered a failure because the status code was not '2xx'.

If you do not want status codes to cause failures pass the option: 'failOnStatusCode: false' at Object.cypressErr (http://localhost:4200/__cypress/runner/cypress_runner.js:83220:11) at Object.throwErr (http://localhost:4200/__cypress/runner/cypress_runner.js:83185:18) at Object.throwErrByPath (http://localhost:4200/__cypress/runner/cypress_runner.js:83212:17) at http://localhost:4200/__cypress/runner/cypress_runner.js:73606:31 at visitFailedByErr (http://localhost:4200/__cypress/runner/cypress_runner.js:73175:12) at http://localhost:4200/__cypress/runner/cypress_runner.js:73587:22 at tryCatcher (http://localhost:4200/__cypress/runner/cypress_runner.js:132142:23) at Promise._settlePromiseFromHandler (http://localhost:4200/__cypress/runner/cypress_runner.js:130160:31) at Promise._settlePromise (http://localhost:4200/__cypress/runner/cypress_runner.js:130217:18) at Promise._settlePromise0 (http://localhost:4200/__cypress/runner/cypress_runner.js:130262:10) at Promise._settlePromises (http://localhost:4200/__cypress/runner/cypress_runner.js:130337:18) at Async._drainQueue (http://localhost:4200/__cypress/runner/cypress_runner.js:127066:16) at Async._drainQueues (http://localhost:4200/__cypress/runner/cypress_runner.js:127076:10) at Async.drainQueues (http://localhost:4200/__cypress/runner/cypress_runner.js:126950:14) at

(Results)

┌─────────────────────────────┐ │ Tests: 1 │ │ Passing: 0 │ │ Failing: 1 │ │ Pending: 0 │ │ Skipped: 0 │ │ Screenshots: 1 │ │ Video: true │ │ Duration: 0 seconds │ │ Spec Ran: my\my.spec.js │ └─────────────────────────────┘

(Screenshots)

• D:\DEV\testcypress\cypress\screenshots\my\my.spec.js\my first test -- useless test (failed).png (1280x720)

  (Video)

• Started processing: Compressing to 32 CRF

• Finished processing: D:\DEV\testcypress\cypress\videos\my\my.spec.js.mp4 (0 seconds)

====================================================================================================

[bjowes]

Could you please add the logs from the ntlm-proxy window also? That’s where I can see what my plugin is doing.

[danbord]

Here is the log. It clearly says that the authentication failed.. But I'm confident that the credentials passed are ok

cy.ntlm('http://[removed]', 'administrator', '[password]', 'dev.uni')

D:\DEV\testcypress>node_modules.bin\ntlm-proxy cypress:plugin:ntlm-auth Existing proxy instance found, sending shutdown +0ms cypress:plugin:ntlm-auth Ports file deleted +27ms cypress:plugin:ntlm-auth NTLM auth config API listening on port: 50451 +12ms cypress:plugin:ntlm-auth NTLM auth proxy listening on port: 50452 +34ms cypress:plugin:ntlm-auth wrote C:\Users\Administrator\AppData\Roaming\cypress-ntlm-auth\cypress-ntlm-auth.port +3ms cypress:plugin:ntlm-auth Startup done! +1ms cypress:plugin:ntlm-auth { configApiUrl: 'http://127.0.0.1:50451', cypress:plugin:ntlm-auth ntlmProxyUrl: 'http://127.0.0.1:50452' } +0ms cypress:plugin:ntlm-auth Received alive +4s cypress:plugin:ntlm-auth Request to http://localhost:4200/ - pass on +10s cypress:plugin:ntlm-auth Created non-NTLM agent for client 127.0.0.1:50459 to target http://localhost:4200/ +1ms cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:50459 due to socket.close +8ms cypress:plugin:ntlm-auth Tunnel to localhost:50456 +3s cypress:plugin:ntlm-auth Request to config API +2s cypress:plugin:ntlm-auth Created untracked agent for target http://127.0.0.1:50451/ +1ms cypress:plugin:ntlm-auth Received valid config update +17ms cypress:plugin:ntlm-auth Added new host http://[removed]:80/ +1ms cypress:plugin:ntlm-auth Request to http://[removed]:80/ in registered NTLM Hosts +83ms cypress:plugin:ntlm-auth Created NTLM ready agent for client 127.0.0.1:50475 to target http://[removed]:80/ +0ms cypress:plugin:ntlm-auth Sending NTLM message type 1 +5ms cypress:plugin:ntlm-auth received NTLM message type 2 +6ms cypress:plugin:ntlm-auth Sending NTLM message type 3 with initial client request +10ms cypress:plugin:ntlm-auth NTLM authentication failed, invalid credentials. +4ms cypress:plugin:ntlm-auth client closed socket, closing tunnel to localhost:50456 +477ms cypress:plugin:ntlm-auth Removed agent for 127.0.0.1:50475 due to socket.close +965ms

[bjowes]

Thanks for the logs, now I can rule out any protocol issues. Your setup looks correct and the logs show that dgsapi is detected as a NTLM site and authentication is attempted.

Just a hunch - would you happen to have a backslash in your password? Make sure you escape it properly, otherwise it will likely be treated as a control character. Example: If you password is pass\w0rd, you need to enter it as the js string: 'pass\\w0rd'

Secondly, could you try running a browser in incognito mode and access your api? That should force you to enter the credentials manually rather than using your logged in user automatically. That way you can test your credentials against the site.

[danbord]

No backslash in my password and no special characters.

I tried with chrome incognito and its working without entering any password since its ntlm is passed through directly.

Daniel

[bjowes]

Huh! I thought incognito mode would force credentials pop up. Could you try with this instead to force it?

https://stackoverflow.com/questions/33283442/how-to-turn-off-windows-integrated-authentication-in-chrome

[danbord]

Ok now it prompts for the password in chrome... and guess what.. its working :/

[bjowes]

Well, I'm out of ideas for now. Will get back to you when I have something else you could try.

[bjowes]

New idea - have you applied some security hardening to your machine? The current version of this plugin only supports NTLMv1, not NTLMv2. I have found that Windows can be configured to not accept NTLMv1, and that setting then applies to the IIS also.

Could you check:

• Use “Start->Run” and type in “gpedit.msc” in the “Run” dialog box. A “Group Policy” window will open.
• Click down to “Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
• Find the policy “Network Security: LAN Manager authentication level”.
• Right click on this policy and choose “Properties”. What is the setting? If it is set to "Send NTLMv2 responses only. Refuse LM & NTLM" it will not work. You could then attempt setting it to "Send NTLMv2 responses only."

I see a need to support NTLMv2 and have found another library that does this. Will create a separate issue and implement it.

[danbord]

Wow you're good! Ok after verification, yes my setting in my GP is at "Send NTLMv2 response only. Refuse LM & NTLM"

Do you think you'll be able to implement that NTLMv2 soon?

Thanks

[bjowes]

Thanks :)

Yeah, the library I looked into seems quite similar to the one I am currently using, so it should be quite easy. Just need some time to ensure it doesn't mess up anything. Should be done by the end of this week.

[danbord]

Great thank you very much!

[danbord]

I changed my policy to "Send NTLM response only" and now it seems to work :)

[bjowes]

Happy to hear it!

[bjowes]

Just released 1.1.0 with NTLMv2 support. Please give it a try! I tried to reproduct your issue, but I don't think I am authorised to change the right settings on our test webserver so I couldn't reproduce it. But the new version does support NTLMv2, so I hopeful it will work even with the strictest setting "Send NTLMv2 response only. Refuse LM & NTLM".

[danbord]

@bjowes , It works flawless! You saved the day. Thanks a bunch!