Zap authentication using AD

[Derek Graham]

Hi,

Using 2.13 and I'm struggling to work out how to authenticate. The web application runs on Windows and is on premise so uses Active Directory for authentication. I created a context and tried auto detection and a number of other options for authentication but in Zap the network requests show either Unauthorised or Bad Gateway. 

Not found this specific scenario in the docs. Any suggestions?

Thanks

[Derek Graham]

To be clear, tried doing manual authentication process from docs but anything that goes through the zap proxy is returning 401 and 502 so not able to even log into the application. Also getting the "AuthScheme is null" exception in the browser depending on the auth setting we use.

[psiinon]

So what happens when you try the Authentication Tester dialog?

https://www.zaproxy.org/blog/2023-05-23-authentication-tester/

How far does it get?

Can you see it logging in?

Can you shae the sanitized diagnostics?

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/c1afe9ec-fd77-40c7-b5d8-51f6d31207b2n%40googlegroups.com.

--

OWASP ZAP Project leader

[Derek Graham]

Hi Simon, 

Failed on the first step opening the browser we get the AuthScheme is null.  

Diagnostics:

>>>>>
POST https://example0/ListAccounts
Content-Type: application/x-www-form-urlencoded
<<<
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

["token0",[]]
>>>>>
GET https://example1/index
<<<
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=utf-8

Browser Error:

ZAP Error [java.io.IOException]: java.lang.IllegalStateException: AuthScheme is null Stack Trace: java.lang.IllegalStateException: AuthScheme is null at org.apache.hc.core5.util.Asserts.notNull(Asserts.java:56) at org.apache.hc.client5.http.impl.auth.HttpAuthenticator.updateAuthState(HttpAuthenticator.java:216) at org.apache.hc.client5.http.impl.classic.ProtocolExec.needAuthentication(ProtocolExec.java:294) at org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:207) at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) at org.apache.hc.client5.http.impl.classic.ZapHttpRequestRetryExec.execute(ZapHttpRequestRetryExec.java:81) at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51) at org.apache.hc.client5.http.impl.classic.ZapInternalHttpClient.doExecute(ZapInternalHttpClient.java:158) at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245) at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188) at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl0(HttpSenderApache.java:394) at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:297) [wrapped] java.io.IOException: java.lang.IllegalStateException: AuthScheme is null at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:309) at org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache.sendImpl(HttpSenderApache.java:103) at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAuthenticated(BaseHttpSender.java:298) at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendNoRedirections(BaseHttpSender.java:266) at org.zaproxy.addon.network.internal.client.BaseHttpSender.send(BaseHttpSender.java:222) at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:193) at org.zaproxy.addon.network.internal.client.BaseHttpSender.sendAndReceive(BaseHttpSender.java:57) at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:303) at org.zaproxy.addon.network.internal.server.http.handlers.HttpSenderHandler.handleMessage(HttpSenderHandler.java:77) at org.zaproxy.addon.network.internal.server.http.MainServerHandler.notifyMessageHandlers(MainServerHandler.java:133) at org.zaproxy.addon.network.internal.server.http.MainServerHandler.processMessage(MainServerHandler.java:115) at org.zaproxy.addon.network.internal.server.http.LocalServerHandler.processMessage(LocalServerHandler.java:63) at org.zaproxy.addon.network.internal.server.http.MainServerHandler.process(MainServerHandler.java:84) at org.zaproxy.addon.network.internal.server.http.MainServerHandler.channelRead0(MainServerHandler.java:73) at org.zaproxy.addon.network.internal.server.http.MainServerHandler.channelRead0(MainServerHandler.java:38) at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:61) at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:370) at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:174) at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66) at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:833)

[thc...@gmail.com]

Could you provide the Authorization header for the first 2 requests?
(Just up to the scheme.)

Best regards.

>>> <https://groups.google.com/d/msgid/zaproxy-users/c1afe9ec-fd77-40c7-b5d8-51f6d31207b2n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
>> --
>> OWASP ZAP <https://www.zaproxy.org/> Project leader
>>
>

[thc...@gmail.com]

For the record, this is an known issue:
https://github.com/zaproxy/zaproxy/issues/7685

But I'm unable to reproduce it, which would greatly help fix it.

Best regards.

[Derek Graham]

There doesn't appear to be an Authorization header in the first request. This initial get is triggering an error in zap.

[Daniel Bown]

I'm getting the issue too, in the newly-installed 2.14.0. Same problem as above.

Comparing sessions side-by-side in Fiddler, I have 4 sessions for a successful login on Fiddler, compared to 2 sessions for unsuccessful ZAP login.

Comparing ZAP and Fiddler:

ZAP session 1 and Fiddler session 1:

1. the same, but parameter 'host:' is lower-case in ZAP and title-case in Fiddler. 
2. 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' in ZAP, 'Accept-Language: en-GB,en;q=0.9' in Fiddler

ZAP does not have an equivalent of Fiddler session 2:

ZAP session 2 and Fiddler session 3:

1. look similar, this contains header value: 'Authorization: Negotiate T------REDACTED==' and is identical.
2. The response in ZAP is 502 'Bad Gateway', the response in Fiddler is another 401, with cookie 'WWW-Authenticate: Negotiate T---- REDACTED REDACTED='(this Negotiate value in response is roughly twice the length)

ZAP has no further sessions but Fiddler has session 4:

1. Authorization header parameter uses value of cookie sent in response to last request.

I also used two tools in ZAP to recheck:

1. Manual Request Editor - I replayed the successful request from Fiddler. Again, IllegalStateException: AuthScheme is null
2. Authentication Tester - supplied URL, name & password. Same null result as before

Company uses NTLM, I have tried to keep the details vagueish but hopefully this might be useful. I'm unable to supply URL or the app I'm afraid.

Regards

Dan