Cypress in Kerberos Environment

[rsudarson]

Thanks for an amazing product in e2e javascript testing.

Will cypress work in Kerberos environment. I was trying to open a internal site in electron headed mode, but request failed with 401.

What should I do to make cypress work in Kerberos environment.

[RandallKent]

Given the complex proxying Cypress does, there is likely some work to be done to get Kerberos Authentication working.

Luckily it’s an open protocol nicely documented in RFC 4120

Do you by chance have a publicly accessible environment we can test against?

[stephenjjbrown]

We're wanting to use Cypress for Oregon.gov, but we use SharePoint which uses Kerberos (or NTLM) authentication; and I can't seem to get Cypress to do the "handshake" that browsers usually do natively.

I might be able to set up an environment you could test against.

[Tarig0]

From my understanding kerberos can be achieved by injecting a kerberos token into the request header

You could use the krb5 library to generate the token with a username and password and then inject/overwrite it in the request.

[jennifer-shehane]

@stephenjjbrown There is a plugin for NTLM auth https://github.com/cypress-io/cypress/issues/850#issuecomment-454190757

[RobbieClarken]

I was able to get Kerberos authentication working in our environment by:

1. Building a Docker image with the krb5-user apt package installed and a /etc/krb5.conf file with settings for our kerberos servers.

2. When starting the docker container, run the following command before launching Cypress:

   echo "$KERBEROS_PASSWORD" | kinit "${KERBEROS_USER}@COMPANY.ORG"

3. In cypress/plugins/index.js add:

   module.exports = (on, config) => {
     on('before:browser:launch', (browser = {}, args) => {
       if (browser.name === 'chrome') {
         args.push('--auth-server-whitelist=*.company.org');
         args.push('--auth-negotiate-delegate-whitelist=*.company.org');
         return args;
       }
     });
   }

4. Run Cypress with cypress run --browser chrome.

Unfortunately it doesn't capture video because we are using chrome instead of electron. I suspect electron would work if we could add the auth-server-whitelist and auth-negotiate-delegate-whitelist options. Currently setting these in cypress/plugins/index.js doesn't work for electron because it is too late to apply them (as described in https://github.com/cypress-io/cypress/issues/1519#issuecomment-469332476).

[cgungaloo]

Hi all. Wondering if anyone had much joy in getting cypress to work with Kerberos. When I try to do it I get a 401 error.

cy.visit() failed trying to load:

https://corporate-url.com/search

The response we received from your web server was:

401: Unauthorized

I havent associated a proxy with it.

plugins/index.js

const browserify = require('@cypress/browserify-preprocessor'); const cucumber = require('cypress-cucumber-preprocessor').default; const path = require('path');

module.exports = (on, config) => {

on('before:browser:launch', (browser, launchOptions) => { launchOptions.args.push('--auth-server-whitelist=.xx.com'); launchOptions.args.push('--auth-negotiate-delegate-whitelist=.xx.com');

return launchOptions

});

const options = { ...browserify.defaultOptions, typescript: path.join(path.resolve("."), 'node_modules/typescript'), };

on('file:preprocessor', cucumber(options)); };

Interestingly when I visit url within the same cypress browser window in a different tab it can open fine.

It also opens as insecure.

Thanks for your help

[cdavid15]

This has been a problem for us in our work for a while now and it turns out its a pretty simply solution when trying to run cypress locally against Kerberos protected sites.

Rather than try and amend the cypress test scripts via browser configuration or community plugins all we needed to do was set our HTTPS_PROXY environment variable to the free Fiddler Proxy. The configuration for fiddler is as follows.

• Ensure Rules....Automatically Authenticate is enabled:

• Then open up the Tools....Options configuration window:

• Navigate to the HTTPS tab and ensure the Capture HTTPS CONNECTs and Decrypt HTTPS traffic is checked (I am assuming the systems under tests will be using HTTPS). If you are testing specific sites or just one on the internal company domain you may also want to restrict the hosts that fiddler captures. This can be set within the Perform decryption only for the following hosts field.

For further details consult the Fiddler documentation: Configure Fiddler Classic to Decrypt HTTPS Traffic

You will be asked to install the Fiddler Root certificate for the current user as Fiddler will use this when capturing traffic for the Kerberos hosts.

Now that Fiddler is ready we just need to ensure that the Cypress routes traffic to our proxy.

This is as straight forward as HTTPS_PROXY=http://localhost:8888 yarn cypress open.

Note: If you have proxy environment variables set on your system already check that the NO_PROXY variable isn't conflicting with the host you are trying to test. This can be checked within the Cypress app:

Hopefully this helps others out as this solution works good for us and has minimal impact to our cypress scripts (i.e. only needs an environment variable set).

I should also add that I have checked it works with Chrome, Edge and Electron but I assume it will work with all other browsers offered by Cypress.