Authentication is the process by which the user tells the server who he/she is. The user may provide this information in a number of different ways and the server may or may not accept the credentials. After the server has accepted the user, the rest of the web application is made available. There are 3 common mechanisms of authentication in web applications, as described below.
In all cases, we recommend using different credentials for each virtual user during a load test to accurately simulate the behaviour of real-world users. We have a tutorial which illustrates a common use-case.
In this method, the username and password are entered on a web page and submitted by the browser. This may be done over either secure or insecure connections. When replaying the testcase, the default behavior will be to submit the same username and password as was used during the recording. This can be customized by using the User Identity wizard or by locating and editing the fields in the Fields View.
This method uses the HTTP WWW-Authenticate and Authorization headers as described in the HTTP specification to send the credentials to the server. The browser is responsible for prompting the user for credentials. In the case of Internet Explorer, it may use the current users credentials transparently and only prompt the user if these credentials are rejected.
This method includes a variety of protocols that determine how the credentials will be transmitted from the browser to the server. Common protocols are Basic and Digest (RFC-2617), NTLM and Kerberos. The Negotiate method (RFC 4559) allows the client and server to negotiate which protocol to use based on their capabilities. Negotiate is most commonly used by Microsoft servers and usually results in the selection of NTLM or Kerberos. Authentication with a proxy server is also supported in this method, though the headers are different: Proxy-Authenticate and Proxy-Authorization.
Load Tester currently supports Basic, NTLM and NTLM via Negotiate.
Integrated Windows Authentication is performed by IIS servers usually using NTLM or NTLM via Negotiate, and subsequently is supported by Load Tester for these security methods.
The user identity that will be provided for Basic and NTLM authentication can be customized by using the User Identity wizard or in the User Identity tab of the testcase properties dialog (select Properties from the pop-up menu on the testcase in the Navigator view).
This method uses encrypted certificates installed in the browser to identify a user over a secure (SSL) connection. Load Tester must be configured to use client certificates before the testcase can be recorded or replayed.