401 Authentication

abstract This section describes how to handle 401 authentication with Sahi.
A 401 dialog may be used in authentication of websites.

On Internet Explorer, it looks like this: On Chrome, it looks like this: On Firefox, it looks like this: However, when navigated to the same site, Sahi automatically transforms this modal dialog into a simple web page. Since it is now just another HTML page, you can easily write scripts to enter username and password into the dialog.

info Sometimes the AuthKey may have something dynamic like a timestamp in it. In such cases, a regular expression can be used. Eg. You can use /Secure/ instead of Secure Gateway in the AuthKey field above. To accept for any AuthKey one can use /.*/. Try setting AuthKey to /.*/ before troubleshooting further.
warning Ensure you have installed Java 1.8 or above.

To change the version of Java that Sahi Pro uses, edit sahi/userdata/bin/setjava.bat (or setjava.sh) and modify 
set SAHI_JAVA_HOME=C:\path\to\java1.8

401 authentication page for NTLM scheme loops or does not login even if the credentials are provided

Sahi automatically tries to authenticate the WINDOWS logged in user for the applications which support NTLM scheme. However if Sahi is unable to authenticate the user automatically, the 401 page for NTLM authentication is displayed.

The solution would differ based on your environment. Thus to address this, employ below approaches one by one:

  1. First approach :
    1. Sahi automatically populates the username for the currently logged in user. However if you use different credentials for authentication, kindly enter them.
    2. Ensure that the username is in domain\user format where both the domain name and user name are correct.
    3. Provide your password for authentication in the password field and click on the Authenticate button.
  2. Second approach :
    1. If the first approach did not work, then ensure that following property is enabled in the userdata.properties file : 
      apacheclient.enabled=true
    2. Add the following property in the userdata.properties file: 
      apacheclient.ntlm_authentication.enabled=true
    3. Restart Sahi and then launch your application in the browser.
    4. Now enter valid credentials for authentication as done in the first approach.

Sahi authenticates automatically but the username is improper

Sahi automatically tries to authenticate the WINDOWS logged in user for the applications which support NTLM scheme. If successfully authenticated, Sahi's 401 authentication page will not be displayed. However you may wish to use different credentials i.e credentials of a user other than the currently logged in user.

To address this, follow below steps :

  1. Add the following property in the userdata.properties file: 
    java.ntlm.transparent_authentication.enabled=false
  2. Restart Sahi and launch your application.
  3. Now enter valid credentials for authentication. Ensure that the username is in domain\user format where both the domain name and user name are correct.
  4. Provide your password for authentication in the password field and click on the Authenticate button.
  5. If it did not authenticate successfully, then ensure that following property is enabled in the userdata.properties file : 
    apacheclient.enabled=true
  6. Then add the following property in the userdata.properties file: 
    apacheclient.ntlm_authentication.enabled=true
  7. Restart Sahi and try again.

Handling 401 authentication page for NEGOTIATE or KERBEROS scheme

Sahi automatically tries to authenticate the user for applications which support only NEGOTIATE or KERBEROS scheme. However if Sahi is unable to authenticate the user automatically, the 401 page for authentication is displayed.

To address this, follow below steps :

  1. Verify if apacheclient.enabled property is set as true in the userdata.properties file. If this property is set as false, set it as true. Restart Sahi and try again.
  2. If Sahi was unable to authenticate automatically even after enabling apacheclient.enabled property, disable this property by setting it as false. Restart Sahi and try again.
  3. Now Sahi's 401 page for authentication is displayed. Enter credentials in this web page.
    1. Set User Principal Name as username in this web page. You can find your User Principal Name by running the command whoami /upn on the command prompt.
    2. Provide your system login password in the password field and click on Authenticate button. Restart Sahi and try again.
  4. If the authentication did not succeed, ensure apacheclient.enabled property is set as false. Then, set below properties in the userdata.properties file.
    1. Run the command 'whoami /upn' on the command prompt. This command prints your User Principal Name. Set your User Principal Name as value for java.kinit.principal_name property.
    2. Encode your system login password using Password Encoder. Set this encoded password as value for java.kinit.encrypted_password property.
  5. Restart Sahi and try again. On start, Sahi will now generate a Kerberos ticket at USER_HOME\krb5cc_USER_NAME. For example, if the Windows system's login user name is userXYZ[icode], then the Kerberos ticket will be generated at [icode]C:\Windows\Users\userXYZ\krb5cc_userXYZ.
info Henceforth, the generated Kerberos ticket will be used for authentication. However, this ticket will expire after a period after which it needs to be renewed or regenerated. Sahi will automatically regenerate the ticket on every start. To regenerate the ticket periodically without restarting Sahi, add the following property in the userdata.properties file. 
# Below example can be used to regenerate the ticket after every 500 minutes.
java.kinit.delay_between_regeneration=500