FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use Kerberos SSO Authentication in Synthetic Monitoring

CMEL
Newcomer

‎22 Dec 2022 02:33 AM - last edited on ‎22 Dec 2022 03:24 AM by Community Team

Hi community (my first post !) !

I tried to register a Synthetic monitoring on a WebAp using Kerberos Auth only.

Some considerations :

> From a Windows opened user session, I'm available to access this WebAp with my Kerberos token.

> There is no prompt for login/password (no other possibility that Kerberos, no Auth alternatives)

It looks like Synthetic Monitor can"t run that kind of Authentication.

Manually, I succeeded to log in, setting manually in cookie a "gssapi_session / MagBearerToken=xxxx" in the advanced setup of the Monitor Settings. (Token retrieved from browser debug to accessing WebAp)

But this token is only valid for some hours, so that can't be the solution to run for monitoring.

Vault doesn't seem to be the only solution, as (I think) it doesn't/can't play the Kerberos Auth.

So the idea may be to run something like "kinit" via the Vault to run the Kerveros Auth and then be able to use it in the Synthetic Monitoring.

If you have any experience, confirmaton/invalidation, suggestion ...

Thanks for your help !

CMEL

(Depending on the replies, it may be a post to recreate in "Product Ideas" ?)

(1st post ! Hope that's a good one ^_^)

Regards,
CMEL.
I was told I was using a broken english, sorry for that 🙂
Reply
7 REPLIES 7

Julius_Loman
DynaMight Guru
DynaMight Guru

‎22 Dec 2022 03:12 AM

I assume you are doing the synthetic tests from a private location, right? In the case of Synthetic ActiveGate for Windows this is achievable by running the synthetic engine as the user who has access to the Web Application.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner
Reply

CMEL
Newcomer
In response to Julius_Loman

‎22 Dec 2022 04:50 AM

Oh, yes I'm running in private location, but I have tried for now only under Linux AG ! (running Dynatrace  Managed on-prem, forgot to say it)
I'm gonna try on Windows AG and set a service account user to try this.

> I'll let you know the result (next year now) 🙂

(But it could be also a great thing to be able to run this kind of test under Linux !)

Thx !

Regards,
CMEL.
I was told I was using a broken english, sorry for that 🙂
0 Kudos
Reply

Julius_Loman
DynaMight Guru
DynaMight Guru
In response to CMEL

‎22 Dec 2022 05:02 AM

Well - I'm not sure about getting that working on Linux - but I would guess the same applies - and you have to "log in" the user which is running those synthetic tests.

@HannahM is there any recommended solution?

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner
0 Kudos
Reply

HannahM
Dynatrace Champion
Dynatrace Champion
In response to Julius_Loman

‎05 Jan 2023 08:17 AM - edited ‎05 Jan 2023 08:20 AM

Kerberos definitely prefers windows, so I would go with Julius's suggestion of trying that and logging the Dynatrace Synthetic service on as a domain user - you will need to disable auto-updates if you do that though, as the Service defaults back to the Local Service user on update. So you will need to add the extra step of resetting it to your upgrade run book. 
For Linux machines, we will likely need to add the following line/ lines (depending on what the setup) to the user.properties file in the \dynatrace\synthetic\config directory.

com.ruxit.vuc.poolConfig.playerConfig.additionalStartupParams=--auth-server-whitelist="_"

or 

com.ruxit.vuc.poolConfig.playerConfig.additionalStartupParams=--auth-server-whitelist="customerdomain"
com.ruxit.vuc.poolConfig.playerConfig.additionalStartupParams=--auth-negotiate-delegate-whitelist="customerdomain"

 

Reply

CMEL
Newcomer
In response to HannahM

‎06 Jan 2023 02:03 AM

Hello,

Thanks for the reply.

The problem is that we have hundreds of applications to check. And we can't have common user credentials to test them. So that means that we must run a dedicated ActiveGate for each credential we have to access via Kerberos ...

So, I think that we can't run our checks like this.

Do you think I can post as an "idea" to have Kerberos credentials managed for Synthetic ? I must not be alone having those security constraints.

Having in the monitoring script something like a checkbox to use a credential Vault with a Kerberos init (providing domain informations) would be perfect !

Thanks,
CMEL.

Regards,
CMEL.
I was told I was using a broken english, sorry for that 🙂
0 Kudos
Reply

HannahM
Dynatrace Champion
Dynatrace Champion
In response to CMEL

‎06 Jan 2023 03:15 AM

For many instances just adding the credentials using HTTP Authentication is sufficient but it really depends on the set up. If you create a support ticket we can try to see if we can get it working and then you can decide if a Product Idea is required. 

0 Kudos
Reply

patmis
Contributor

‎14 Feb 2023 03:08 AM

Hi,

We have a similar issue here at Swiss Post. We try to monitor Webapplications which use SSO with Kerberos (Negotiate). Our ActiveGates are also running on Linux. We have now setup a Windows server for an additianal ActiveGate. However, we would prefer Linux. 

The interesting thing is, when executing a `kinit`and then starting the Chromium browser (via X11 forwarding) on the Linux host on which the AG is installed, it works. So we are not really sure, how the ActiveGate performs the Kerberos authentication. As we configure the credentials as HTTP extension, i assume that a login window from the browser is expected. Without the `kinit` the Chromium browser does not display such a login window. In our case we are redirected to a 2FA login page. 

We have now opened a support ticket to analyse this in detail.

Kind regards,
Patrick

0 Kudos
Reply
Ask a question