Apache–jMeter – Test Plan – ASP.Net – Forms Authentication–Troubleshooting

Background

In a previous post we spoke about the steps we undertook to design a test plan for authenticating users connecting to an ASP.Net web site.

In this post, we will shield light on the headwinds that batted us along the way.

 

Headwinds

Outline

  1. Workflow
  2. Thread Group
    • Thread Group Configuration
      • More threads than necessary
  3. HTML Page
    • Hidden fields
    • Entry fields
    • Action or Push button
  4. Component – Cookies Manager
  5. Component – View Results Tree
  6. Component – View Results Table
  7. Web Server
    • HTTP Logs
    • Failed Request Tracing

 

Workflow

This is a very crude drawing …

Workflow_20171026_0533PM

But, it hopefully shows workflow  ..

  1. First HTTP Request Default
  2. Second HTTP Request
    • Use Get Method to request session page
    • Returns to us the session date ( viewstate, eventValidation, viewStateGenerator )
  3. Parse returned Page
    • Using CSS /JQuery parse data and retrieve session data mentioned above
  4. Third HTTP Request
      • Use Post Method to submit user credentials
      • Make sure that session data we parsed earlier is packaged, as well

 

Thread Group

Thread Group Configuration

More threads than Necessary

Images
Thread Group – Configuration @ 7:11 PM

At 7:11 PM, we were hopeful and set up for fifty users, a ramp time of 10 seconds.

And, 2 repetitions.

ThreadGroup_20171024_0714PM

 

Thread Group – Configuration @ 1:03 AM

At 1 AM of the next day, we were humbled to 1 user and a single iteration.

ThreadGroup_20171025_1158AM

 

Explanation

Once we could not successfully authenticate and started adding ViewResultsTree and viewResultsInTable, we started seeing double and some of it was due to the fact that we had more workers than was necessary.

 

HTML Page

Hidden Fields

Images

Explanation

  1. Make a note of all hidden fields
  2. Determine how they are populated
    • Static versus Dynamic
    • Vetted against replay
  3. Encoded ( Yes or No )

 

Cookies Manager

For state management, you will need cookies, server and client side, so please save yourself the headache by enabling them.

Image

Image – Before

HTTPCookieManager_20171025_1152AM

Image – After

HTTPCookieManager_20171026_0459PM

Explanation

  1. Once things are good
    • Clear cookies each iteration
      • Please mark “Clear cookies each iteration” once you are comfortable with your design

 

View Results Tree

Get

View Results Tree – Request

Image

ViewResultsTree_Request_20171025_1204PM

 

Explanation

Take a good look at the Post data

  1. Post data
    • Do you have that the user field populate
    • What about the hidden fields
      • Are the hidden fields supplied by the system and are they varied as a counter measure against replay

 

View Results Tree – Response data

Image

ViewResultsTree_ResponseData_20171025_1204PM

 

Explanation

Our response data looks perfect.

Post

View Results Tree – Request

Image

ViewResultsTree_Request_20171025_0127PM

 

Explanation
  1. Get data
    • Because our request type is not a Get, but a Post, the Get data is left vacant
  2. Cookies Data
    • We are authenticated and we have our cookies

 

Web Server

Please check IIS Logs and enable Failed Request Tracing

  • HTTP Logs
  • Failed Request Tracing

Failed Request Tracing

IIS Failed Request Tracking module offers superlative debugging tooling.

Failed Request Tracing – 001

Failed Request Tracing – 001 – Image

 

Failed Request Tracing – 001 – Textual

Validation of viewstate MAC failed. 
If this application is hosted by a Web Farm or cluster, ensure that machineKey configuration specifies the same validationKey and validation algorithm. 
AutoGenerate cannot be used in a cluster.
See http://go.microsoft.com/fwlink/?LinkID=314055 for more information.

 

 

Failed Request Tracing – 002

Failed Request Tracing – 002 – Image

 

Failed Request Tracing – 002 – Textual

The state information is invalid for this page and might be corrupted.

 

Dedication

Dedicated to Michael Stover.

Main » jmeter-user » 2003-07 » RE: using the regular expression extractor to obtain a form value
Link

MichaelStoverWorkflow_20171026_0545PM


					

IIS Logs / Log Parser Studio – Aggregated Hits per Server

Background

Our monitoring team has developed and rolled out scripts for monitoring our web farm.

And, we are getting alerts through email.

Quite a lot of emails are coming across and wanted to see if they are coming from same host or a combination of hosts.

 

Emails

Looked at the emails and they happen to be coming from same host.

And, so will have to engage our Network team and see how the Load Balancer is configured.

Is there a prospect that more traffic is being directed at the failing node?

Network Load Balancer

As we prepared to go to the Network Load Balancer team took the opportunity to take gather and query the IIS Logs, as well.

 

TroubleShooting

Log Parser Studio

Query


SELECT 
            To_String(date, 'yyyy-MM-dd') as dated

          , sc-status as status

          , sum (
                    case s-ip
                        when '10.0.4.25' then 1
                        else 0
                   end
               ) as S1

          , sum (
                    case s-ip
                        when '10.0.4.26' then 1
                        else 0
                   end
               ) as S2


          , sum (
                    case s-ip
                        when '10.0.4.27' then 1
                        else 0
                   end
               ) as S3

         , sum (
                    case s-ip
                        when '10.0.4.28' then 1
                        else 0
                   end
               ) as S4

          , min(TO_TIMESTAMP(date, time)) as tsRecordedMin


          , max(TO_TIMESTAMP(date, time)) as tsRecordedMax


FROM '[LOGFILEPATH]' 


where   (


           (

             TO_TIMESTAMP(date, time) 
                     between timestamp('2017/08/02 10:30:00', 'yyyy/MM/dd hh:mm:ss')  
                          and timestamp('2017/08/02 17:20:00', 'yyyy/MM/dd hh:mm:ss')
           )

       )

/*

	and  c-ip not in ('10.0.4.141')
	
*/

group by
         date
       , sc-status


order by
           dated 
         , status



Output

Time Range – 1 ( August 2nd 10:30 AM – 5:20 PM )

Results

Explanation
  1. It is difficult to make case that traffic is exhaustively being waded into a specific host

Time Range – 2 ( August 8th 5:13 PM – 8:40 PM )

Results

Explanation
  1. In our second time slot, 4700 records bearing HTTP 200 is right around average

Summary

At this time it is likely that the sufferance we are seeing with this specific host is not due to outside pressure, but internal to the host itself.

 

Internet Information (IIS) / Log Parser – Queries – String Pattern Matching

Background

Looking for File I/O Exceptions in the Event Viewer.

 

Query

Sample

Sample 001

Code


SELECT TOP 100 
 
         TimeGenerated
       , ComputerName
       , EventCategoryName
       , EventTypeName
       , EventID
       , SourceName
       , Message as Mesg
       , Strings as Strings
       , EXTRACT_TOKEN(Strings,1,'|') AS AppName
       , EXTRACT_TOKEN(Strings,2,'|') AS AppVersion
       , EXTRACT_TOKEN(Strings,3,'|') AS S3
       , EXTRACT_TOKEN(Strings,4,'|') AS Module
       , INDEX_OF(Message, 'System.IO.IOException') as indexOf
       , case INDEX_OF(Message, 'System.IO.IOException') 
            when 0 then 'N'
            when NULL then 'N'
            else 'Y'
         end as IOE
       , CASE strcnt(Message, 'System.IO.IOException')
             when 0 then 'No'
             else 'Yes'   
         end as IOException
 
from  '[LOGFILEPATH]'
 
WHERE ( EventType = 1 OR EventType = 2 )

and    INDEX_OF(Message, 'System.IO.IOException') > 0

 
ORDER BY
         TimeGenerated DESC


Output

 

Explanation

  1. INDEX_OF
    • We use INDEX_OF to find the position of the sought string in the Message column
      • When the column contains System.IO.IOException the query returns the starting position of the found pattern
      • When not found, null is returned
  2. STRCNT
    • We invoke STRCNT to count number of matches
      • When String not found, 0 return
      • When matched, number of matches

 

References

  1. StackOverflow
    • Log Parser Case Statement
      Link

 

Input Error: Can not find script file “c:\inetpub\adminscripts\adsutil.vbs”

Background

Trying to inspect an IIS Configuration setting on a MS Windows 2008 box and ran into an error as the MS Script that drives the whole thing is missing

Lab

Code


set "_baseScriptFolder=c:\inetpub\adminscripts"

set "_identifier=1"

cscript c:\inetpub\adminscripts\adsutil.vbs get w3svc/1/root/reports/NTAuthenticationProviders

Output


Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Input Error: Can not find script file "c:\inetpub\adminscripts\adsutil.vbs".

 

Diagnostic

MS Windows 2008 ships with IIS v7.  The Admin Scripts were discontinued post IIS v6.

To gain access to c:\inetpub\adminscripts\adsutil.vbs, one has to augment IIS with “IIS 6 Scripting Tools“.

Remediation

GUI

Steps

  1. Open Server Manager
  2. Click on Web Server (IIS)
  3. Scroll to Role Services and click “Add Role Services”
  4. You will need to install
    • IIS 6 Management Compatibility
      • IIS 6 Metabase Compatibility
      • IIS 6 WMI Compatibility
      • IIS 6 Scripting Tools

 

AddRoleServices-Menu

Walkthrough

SelectRoleServices

Revised

SelectRoleServices - After

Script


start /w pkgmgr /iu:IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts

References

AdminScripts folder is missing in IIS 7

  1. AdminScripts folder is missing in inetpub in IIS 7 RS
    Link
  2. Missing IIS admin scripts – Can not find script file
    Link

 

IIS Management

  1. Saad Ladki
    Home > Learn > Install > Chapter 1. Installing IIS 7 > Install Typical IIS Workloads
    Link
  2. IIS Team – You do not have permission to view this directory or page using the credentials that you supplied.
    Link

 

IIS – ASP & ASP.Net – Session State Management – In Process

Background

I have a few ASP.Net applications running on a MS Windows 2003 box.

Occasionally, the applications error out.

 

Error

Textual:


Procedure or function 'listDatesWithEventsForMonth' expects parameter '@memberIdentifier', which was not supplied.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.Data.OleDb.OleDbException: Procedure or function 'listDatesWithEventsForMonth' expects parameter '@memberIdentifier', which was not supplied.

Source Error: 

Line 613:
Line 614:
Line 615:            objDBReader = objDBCommand.ExecuteReader();
Line 616:
Line 617:            while (objDBReader.Read())

 

Thoughts …

There is nothing more disconcerting than when an application wrote yearns ago, crash out so ungracefully on the original developer.

Yes, there are problems, but I am too lazy to fix them.

The problems include:

  1. Architectural – In Process Management
    • Should not be using in-process state management, but more so out of process.
      • In using out of process State Management, worker process recycling will not null out session states
      • Same with errant “Worker Process” that occasionally die
  2. Architectural – Web Garden
    • Insufficient consideration of multi worker processes
  3. Coding Issue
    • Why am I not sanitizing my variables; that is, when I read state data via session[x], I should make sure it is not null, before passing them it off to the DB
      • When null, display an error message and return to the most relevant screen depending on what is missing

Code

Here is the code snippet:


        protected void getUserInfo()
        {

            System.Security.Principal.IIdentity objIdentity;
            Boolean bAuthenticated;

            //get currently logged on user
            objIdentity = User.Identity;

            bAuthenticated = objIdentity.IsAuthenticated;

            strMemberName = objIdentity.Name;

            //get currently selected member
            if (Session["memberID"] != null)
            {
            	strMemberID = Session["memberID"].ToString();
            }	            

        }     

To sanitize the read in session variable, please change it a bit to something like this:


  protected void getUserInfo()
  {

     System.Security.Principal.IIdentity objIdentity;
     Boolean bAuthenticated;          

     objIdentity = User.Identity;

     bAuthenticated = objIdentity.IsAuthenticated;

     strMemberName = objIdentity.Name;

     if (Session["memberID"] != null)
     {
      	strMemberID = Session["memberID"].ToString();
     }	            

     //On 2015-08-10, dadeniji
     //sanitize
    if (     ( strMemberID == null)
          || ( strMemberID == String.Empty) )
    {

	String strURLHome = "login.aspx";
	Response.Redirect(strURLHome,true);

    }		

 }     

 

 

Bandage

Let us take to Google and see what type of bandage we can wool over this self induced wound.

Google Hits

 

Apply

Web.Config

  1. ASP.Net Configuration Settings – State Management
    • Session timeout ( in minutes ):
      • Change from 20 minutes to 300 minutes

 

 

ASP.Net Configuration Settings – State Management ( Before )

sessionStateSettings (before)

After

sessionStateSettings (after)

 

Application Pool

  1. Recycling
    • Recycle working process ( in minutes ):
      • Keep at 1740
  2. Performance
    • Idle Timeout
      • Shutdown Worker processes after being idle for ( time in minutes )
        • Changed from 20 minutes to 300 minutes
    • Web Garden
      • Maximum Number of Worker Processes
        • Left as 1

 

Recycling ( Before )

Application – Performance [ Before ]

Performance (Before)

 

Application – Performance [ After ]

Performance (After)

 

Summary

In summary, we are modifying the session state timeout on the web site, via the web.config file.

The change is to increase the idle time out from 20 minutes to 5 hours.  2 to 3 hours will likely have been sufficient, as this is not a heavily used web server and so we are likely not competing with other web sites nor users.

On the worker processes, which is fronted through the Application Pool configuration, we modified the idle timeout setting in similar fashion; changed from 20 minutes to 5 hours.

It goes without saying that the Application itself needs to be significantly cleaned-up. We need to possibly capture timeout notifications, and also sanitize data read in and not simply assume they are always valid.

 

References

ASP

 

ASP.Net

IIS – Web Site Configuration Inspection using msdeploy

Background

I am trying to get this 3rd party Web Application to work properly, but it so happens that for one for virtual directory (vdir) the global.asa is read, but for another vdir the global config file is not being read.

 

Trouble-shooting

Eye Balling

Tried eye-balling, but I can’t figure out what is different.

WebDeploy

Download & Install

Download WebDeploy from http://www.iis.net/downloads/microsoft/web-deploy. The current version is 3.5 and so the rest of this post will assume that is the version we are using.

And, install it.

 

Where is it installed?


dir msdeploy.exe /s

Image:

WhereIsMsdeployPlaced

 

Usage


"C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe" -verb:dump -so
urce:appHostConfig="Default Web Site" -xml > c:\tmp\websiteconfigDefault.xml

 

Review

Using a text editor review the XML Configuration file.

DirPath

Let us review the directory path for both folders.

Please keep in mind that — “the IntegratedLogin works, but the Login does not work“.

 

IntegratedLogin

dirPath path="IntegratedLogin" securityDescriptor="D:" parentSecurityDescriptors="" attributes="Directory"

 

dirPath-Login

 

Login

dirPath path="IntegratedLogin" securityDescriptor="D:" parentSecurityDescriptors="" attributes="Directory"

 

dirPath-IntegratedLogin

 

Tabulated:

Verb Folder :- IntegratedLogin Folder :- Login
 path IntegratedLogin Login
 securityDescriptor  D:  D:
 parentSecurityDescriptors  [empty] [empty]
 attributes  Directory Directory

 

 

Things are same.

Application & Virtual Directory

Let us review the Application and Virtual Directory settings for both folders.

Please keep in mind that — “the IntegratedLogin works, but the Login does not work“.

 

XMLBrowser

 

 

Very Quick Explanation:

  • The Virtual directories are listed under application path=”/”
    • Neither /Login nor IntegratedLogin is listed
  • In the list of Application paths
    • /Login is listed
    • But, /IntegratedLogin is not

 

Let us go remove Login as an Application.

Here is IIS before the change:

iismanager-before

 

And, as we make the change we are prompted:

removeApplication

 

Here it is:

iismanager-after

Technical Summary

Things work for /IntegratedLog, but not for /Login as Login was defined as an Application.

Applications do not inherit \ access the global.asa file.

The global.asa file is where we initialized and populated our global variables.

Unfortunately, the original application contained the awful “on error resume next“.

Once we removed it, and added a code to show our Application variables, we were more comfortable with our solution.


Dim iNumberofApplicationContentObjects
Dim x

on error goto 0

iNumberofApplicationContentObjects = Application.Contents.Count
Response.Write "iNumberofApplicationContentObjects " & cstr(iNumberofApplicationContentObjects) & "<BR>"

for each x in Application.Contents
  
  Response.Write(x & "=" & Application.Contents(x) & "<br>")

next

 

Listening

Daryl Singletary: I Let Her Lie (video)
https://www.youtube.com/watch?v=zX0pQ0QdUg8

 

References