Tuesday, March 16, 2010

How to handle the Windows Authentication pop-up with Selenium RC

For the first pass at this post, the scope is going to be pretty narrow. I'm going to try to use terminology that makes sense, but it may not be entirely accurate. I think that when I was trying to solve this problem, it's part of why I struggled.

I was working on a Selenium script for a newly built internal QA web site (yay!). When I go to this web site, however, before the web site loads at all, I get a little modal dialog box that asks me for authentication:



Well, Selenium has no capability for dealing with this box. I found, after much searching for terms like "selenium authentication", that putting the username and password into the URL was not going to help me. I have come to learn that that kind of authentication is called "HTTP authentication". If that's what you need, you should be able to solve it via this Selenium FAQ post: Selenium and Basic HTTP Authentication

I tried it, but it did not help.

It turns out, what my site was doing was a form of Windows-based authentication. And, as it turns out, it's not something Selenium can take care of at all. If hard-pressed, you can use something like AutoIT to script that part out. I don't yet need something that robust, so I decided to go with simpler solutions. I did find this great post from Atlassian blogs about writing a Selenium Container to deal with Windows Basic Authentication.

In any case, for the time being, I have created a Firefox profile just for use with Selenium, and then have told the Selenium server to use that profile, rather than creating a clean profile every time.

So how do ya do that?

Start by creating a Firefox profile. How to do that is actually pretty well documented here:


I should note here also that I have seen it recommended that whatever profile you create here should be in a different directory than the default profile directory that Mozilla uses. I did do that, for easy access, at the very least.

There's a really great blog post here, about some other profile configurations that can be made to optimize automated testing. There are some great settings in there that will save you heartache.

Once I created a profile that I intended to be used for Selenium, I started Firefox under that profile. In order to have the authentication dialog stop appearing, I had to go into the configuration for Firefox and tweak a few settings:

In the URL bar, type "about:config"

Tell it yes, you'll behave, and then you see a long list of configuration parameters. In the Filter box, type "ntlm".

You'll see 3 entries ... we care most about the "network.automatic-ntlm-auth.trusted-uris" one. In this one, type the server names that you want to stop this behavior on. For me, I just typed "qa1,localhost" (qa1.domain.com is my test server).

The Atlassian post above indicates that you should also change the "network.ntlm.send-lm-response" to true, so feel free to do that, too (I didn't and it still worked for me, so ..... just try it and see what works?).

Then, you've got this profile ready to go. So the next thing is to tell the Selenium server to use that profile. When you start the Selenium server, pass it the following parameter:
-firefoxProfileTemplate "path-to-profile"

As a matter of preference, if you're not using Sauce RC, I'd highly recommend it. You can download it for free here: Sauce RC

It will run your selenium server for you, and has a convenient "Preferences" page where you can put in the parameters you need. If you're like me, you always end up getting stuck on some dumb syntactical issue and pulling your hair out. This saves my hair, and maybe yours, too.

For the record, I am aware that I didn't cover IE or Chrome, or any other browsers. It's just because I haven't gotten to them yet. I will post about it when I do. Also, I'd love to hear your feedback if you try it and work through any other details or complications. I'd like to make this post as robust as I can ...

15 comments:

Jussi Mononen said...

Hmm, to me that authentication method just doesn't sound testable. I might raise an issue (that might get outright rejected) that a more testable auth method would be preferred.

Of course, if the auth relies on Active Directory then you are just out of lck ;-)

Dawn said...

Hi Jussi--

I *think* that if I fought hard enough, I could *probably* get it arranged to have it turned off at my current place. However, after reading about other people struggling with this issue, I felt it was worth treating as if it's not possible :)

I'd love to hear more about how these auths work. Are there different types of Windows Integrated auth -- ones that use AD, and ones that don't? How do they work? Can we work around them as test automators?

menty666 said...

out of curiosity, where do you then put in the credentials? It seems the profile change says 'don't ask for this URI', but the server still needs to know who you are, right?

Mari said...

I'd like to know the same as menty666. Where do you put the credentials to authenticate?

Dawn, your post is pretty interesting considering I have the same issue here.

Mari said...

Well, it seems that with that method, the http://user:password@server:port/something/... method works!

Thanks a lot, everything works just fine here for me now!

Dawn said...

Hi Menty666 and Mari--

To the best of my knowledge, if you enter the trusted uri's, there is nowhere to pt credentials in. My guess at this point is that it will use the credentials of the logged in user when opening the browser window.

Mari, I am glad to hear that something worked for you.

Amol Dakhane said...

Thanks a ton Dawn!!
It worked for me!!!!

Anoop said...

Hi Dawn,
I tried your steps without creating a new firefox profile to know whether its works fine. Unfortunately it didn't. Is it works only in customized firefox profile?

BTW.. It seems to be security vulnerability from the FireFox side. Is it?

Dawn said...

Hi Anoop-

If you do not create a custom FireFox profile, then the server that is asking for authentication will nto be in the "trusted sites" list and it will not work. The section where you go into the about:config and search for ntlm is effectively considering the server under test a "trusted site" for that profile (which stops the authentication dialog from appearing).

I am not sure which part you think is a security vulnerability, but adding this web server to a "trusted sites" list is something you have to do manually, and presumably you would only do that if you are inside a protected network, for example.

CreativIT said...

Hi Dawn,
1000 thanks for this great post, you save my life ... well, at least my week ;-) - a comment to share with others: I follow your instructions and at the end, I copy-paste the generated firefox profile to my \Lib\site-packages\SeleniumLibrary\firefoxprofile folder that is used when I run Robotframework test suites.

Anonymous said...

Hmm... I'm not sure about this, what about when your testing application is not on your own machine but on some remote server...how to locate this authentication window or to skip it, but if you skip this authentication window, in this case we have big security issue. Aren't we?

Anonymous said...

Hi,
I tried to set domain name in about:config -> network.automatic-ntlm-auth.trusted-uris.
I set value as "ice" als tried with "ice.corp.ebay.com"

But still when i start selenium with this firefox profile, I am getting auhentication dialog.

my url -> ice.corp.ebay.com.

Please help me on this.

bliblablubb said...

Hi,

I'd defenitely appreciate an answer to the above question!

greetz
bbb

Niroshan said...

my test enviroment is trunk.tools
could someone please please please advice the value for network.negotiate-auth.delegation-uris

TestWithUs said...

SWIFT Interview questions on

http://testwithus.blogspot.in/p/swift.htm

For selenium solution visit
http://testwithus.blogspot.in/p/blog-page.html


For QTP interview questions

http://testwithus.blogspot.in/p/qtp-questions.html


www.searchyourpolicy.com