15

I have a ASP.NET MVC website that uses Windows Authentication to control access. I would like to have a specflow selenium test that checks the configuration is correct by attempting to visit the site as a non-authorised user.

As we're using domain accounts to control access there isn't a username/password login screen. The credentials of the current user are automatically passed to the site by the browser.

So for my Selenium test I need to be able to run Internet Explorer as a specific user.

I have found a number of articles about windows impersonation and I can switch to my test user during the running of the test (using the code from http://support.microsoft.com/kb/306158). However if I then create an InternetExplorerDriver it starts internet explorer with my credentials rather than the test user's (although this question and answer suggests that it should work https://sqa.stackexchange.com/questions/2277/using-selenium-webdriver-with-windows-authentication).

I can also explicitly start an Internet Explorer process as my test user, but I can't see a way of binding an InternetExplorerDriver to an already running Internet Explorer process, so this may be a dead end.

My code, basically taken from the MSDN page above is below. In the debugger I can see that WindowsIdentity.GetCurrent().Name is "testUser" in all the steps of the test.

namespace MyProject.Specs
{
using NUnit.Framework;
using OpenQA.Selenium;
using OpenQA.Selenium.IE;
using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
using TechTalk.SpecFlow;

[Binding]
public class AuthorisationSteps
{
    public const int LOGON32_LOGON_INTERACTIVE = 2;
    public const int LOGON32_PROVIDER_DEFAULT = 0;
    private static WindowsImpersonationContext impersonationContext;
    private static IWebDriver driver;

    [BeforeScenario]
    public static void impersonateUser()
    {
        if (!impersonateValidUser("testUser", "testDomain", "password"))
        {
            throw new Exception();
        }
        driver = new InternetExplorerDriver();
    }

    [AfterScenario]
    public static void cleanupUser()
    {
        undoImpersonation();
        driver.Quit();
    }

    [Given(@"I am an unauthorised user")]
    public void GivenIAmAnUnauthorisedUser()
    {
        var temp = WindowsIdentity.GetCurrent().Name;
    }

    [When(@"I go to the home page")]
    public void WhenIGoToTheHomePage()
    {
        var temp = WindowsIdentity.GetCurrent().Name;
        driver.Navigate().GoToUrl(BaseUrl);
    }

    [Then(@"I should see an error page")]
    public void ThenIShouldSeeAnErrorPage()
    {
        var temp = WindowsIdentity.GetCurrent().Name;
        Assert.That(driver.Title.Contains("Error"));
    }

    [DllImport("advapi32.dll")]
    public static extern int LogonUserA(String lpszUserName,
                                        String lpszDomain,
                                        String lpszPassword,
                                        int dwLogonType,
                                        int dwLogonProvider,
                                        ref IntPtr phToken);

    [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
    public static extern int DuplicateToken(IntPtr hToken,
                                            int impersonationLevel,
                                            ref IntPtr hNewToken);

    [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
    public static extern bool RevertToSelf();

    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
    public static extern bool CloseHandle(IntPtr handle);

    private static bool impersonateValidUser(String userName, String domain, String password)
    {
        WindowsIdentity tempWindowsIdentity;
        var token = IntPtr.Zero;
        var tokenDuplicate = IntPtr.Zero;

        if (RevertToSelf())
        {
            if (LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE,
                LOGON32_PROVIDER_DEFAULT, ref token) != 0)
            {
                if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
                {
                    tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
                    impersonationContext = tempWindowsIdentity.Impersonate();
                    if (impersonationContext != null)
                    {
                        CloseHandle(token);
                        CloseHandle(tokenDuplicate);
                        return true;
                    }
                }
            }
        }
        if (token != IntPtr.Zero)
        {
            CloseHandle(token);
        }
        if (tokenDuplicate != IntPtr.Zero)
        {
            CloseHandle(tokenDuplicate);
        }
        return false;
    }

    private static void undoImpersonation()
    {
        impersonationContext.Undo();
    }
}

}

Community
  • 1
  • 1
Dan
  • 7,446
  • 6
  • 32
  • 46
  • maybe something to try: put your `driver` instantiation before the `impersonateValidUser(..)` – ddavison Jan 20 '15 at 13:04
  • Thanks for the idea, but I'm afraid it doesn't fix things – Dan Jan 20 '15 at 13:19
  • Maybe try kicking off your tests from the Windows command line via `runas /user:USER@DOMIAN path\to\mstest.exe ...` – Greg Burghardt Jan 28 '15 at 17:55
  • That would probably work, but you would need to kick of one run per user. For now I've stopped looking into this as I only have two tests that need it and I can run them manually in a couple of minutes. – Dan Feb 03 '15 at 10:22
  • Someone asked a similar question in the context of Java: http://stackoverflow.com/questions/18017883/running-ie-as-a-different-user-with-selenium-webdriver-in-java - but it remains 'unanswered'. – immutabl Feb 18 '15 at 16:59

8 Answers8

5

We have many enterprise clients that use Windows Authentication for intranet facing applications and we are starting to run many Selenium tests for confirmation, regression, etc.

We've taken the helpful code from Steven's answer and refactored it into a re-usable class similar to other Impersonate posts that just weren't working for us because we wanted the tests to work both locally in development and deployed as part of the Visual Studio Team System release process.

The uri method was not working locally and neither were impersonating methods using Win32 native methods.

This one worked so here it is.

Example of a test using Steven's code refactored into a helper

[TestMethod]
public void ThisApp_WhenAccessedByUnathorizedUser_ShouldDisallowAccess()
{
    string userName = "ThisAppNoAccess";
    string password = "123456";
    string domainName = Environment.MachineName;
    using (new Perkins.Impersonator(userName, domainName, password))
    {
        // - Use Remote Web Driver to hook up the browser driver instance launched manually.
        using (var driver = new RemoteWebDriver(new Uri("http://localhost:9515"), DesiredCapabilities.Chrome()))
        {
            var desiredUri = Helper.Combine(Helper.BaseURL, "/ThisApp/#/appGrid");
            TestContext.WriteLine("desiredUri: {0}", desiredUri);
            driver.Navigate().GoToUrl(desiredUri);
            Helper.WaitForAngular(driver);
            var noPermissionNotificationElement = driver.FindElementByXPath("//div[@ng-show='!vm.authorized']/div/div/div/p");
            var showsNoPermissionNotification = noPermissionNotificationElement.Text.Contains("You do not have permissions to view ThisApp.");
            Assert.AreEqual(true, showsNoPermissionNotification, "The text `You do not have permissions to view ThisApp.` is not being displayed!");
        }
    }
}

The helper class

// Idea from http://stackoverflow.com/a/34406336/16008
// - Launch the browser driver manually with other user's credentials in background
public class Perkins
{
    public class Impersonator : IDisposable
    {
        Process _driverProcess = null;
        string _driverPath = @"chromedriver.exe";
        /// <summary>
        /// Impersonates the specified user account by launching the selenium server under that account.  Connect to it via RemoteWebDriver and localhost on port 9515.
        /// </summary>
        /// <remarks>
        /// We may later want to enhance this by allowing for different ports, etc.
        /// </remarks>
        /// <param name="userName">Name of the user</param>
        /// <param name="domainName">Name of the domain or computer if using a local account.</param>
        /// <param name="password">The password</param>
        public Impersonator(string userName, string domainName, string password)
        {
            ProcessStartInfo processStartInfo = new ProcessStartInfo(_driverPath);
            processStartInfo.UserName = userName;
            System.Security.SecureString securePassword = new System.Security.SecureString();
            foreach (char c in password)
            {
                securePassword.AppendChar(c);
            }
            processStartInfo.Password = securePassword;
            processStartInfo.Domain = domainName; // this is important, mcollins was getting a 'stub received bad data' without it, even though rglos was not
            processStartInfo.UseShellExecute = false;
            processStartInfo.LoadUserProfile = true; // this seemed to be key, without this, I get Internal Server Error 500
            Thread startThread = new Thread(() =>
            {
                _driverProcess = Process.Start(processStartInfo);
                _driverProcess.WaitForExit();
            })
            { IsBackground = true };
            startThread.Start();
        }
        public void Dispose()
        {
            // - Remember to close/exit/terminate the driver process and browser instance when you are done.
            if (_driverProcess != null)
            {
                // Free managed resources
                if (!_driverProcess.HasExited)
                {
                    _driverProcess.CloseMainWindow();
                    _driverProcess.WaitForExit(5000);
                    // Kill the process if the process still alive after the wait
                    if (!_driverProcess.HasExited)
                    {
                        _driverProcess.Kill();
                    }
                    _driverProcess.Close();
                }
                _driverProcess.Dispose();
                _driverProcess = null;
            }
        }
    }
}

Perhaps this will help someone else with the same issue.

Rick Glos
  • 2,466
  • 2
  • 29
  • 30
  • Thanks for this class; it's been really helping in figuring out what I want to do. I'm having trouble with the logon information though, and I made a post about it here: https://stackoverflow.com/questions/47687030/selenium-user-impersonation-failure Do you know how I could get past this/what I did wrong? I get the same error when using your unmodified code too. – Rescis Dec 07 '17 at 22:48
  • The logic of this code is very clear: firstly, start a chrome driver process using impersonator, then connect to the driver via Json Wire Protocol and RemoteWebDriver. Very clever, well done! – Richard Jul 03 '20 at 04:17
3

This is in fact possible. I ran into the exact problem you had. Basically, here are the steps you need to do.

  1. Launch the browser driver manually with other user's credentials in background

    Process driverProcess;
string driverPath; // The path to Selenium's IE driver.
ProcessStartInfo info = new ProcessStartInfo(driverPath)
{
    UserName = "UserName", // The user name.
    Password = new SecureString(), // The password for the user.
    UseShellExecute = false,
    LoadUserProfile = true,
    Arguments = "about:blank"
};
// Start the driver in background thread
Thread startThread = new Thread(
    () => {
        try
        {
            driverProcess = Process.Start(info);
            driverProcess.WaitForExit();
        }
        catch
        {
            // Close the process.
        }
    })
{
    IsBackground = true
};
startThread.Start();

  2. Use Remote Web Driver to hook up the browser driver instance launched manually.

    var remoteDriver = new RemoteWebDriver(Uri("http://localhost:5555"), DesiredCapabilities.InternetExplorer());

  3. Remember to close/exit/terminate the driver process and browser instance when you are done.

    // Close the process when done.
if (driverProcess != null)
{
    // Free managed resources
    if (!driverProcess.HasExited)
    {
        driverProcess.CloseMainWindow();
        driverProcess.WaitForExit(5000);
        // Kill the process if the process still alive after the wait
        if (!driverProcess.HasExited)
        {
            driverProcess.Kill();
        }

        driverProcess.Close();
    }

    driverProcess.Dispose();
    driverProcess = null;
}
Steven
  • 2,258
  • 1
  • 22
  • 22
  • Step 1 is missing the how you started the process manually - specifically, the `info` object. – Rick Glos May 31 '16 at 16:26
  • @RickGlos I updated step 1 to include how I get the `info` object. – Steven May 31 '16 at 17:05
  • thanks, with that extra tidbit of clarity I was able to get this working, although we are doing it with Chrome, it appears to be as simple as changing out the `driverPath` to use `chromedriver` vs the `IEDriverServer`. We also need to reuse this over and over so I'll post an answer shortly that we are using now in many methods that builds upon yours. Thanks again! – Rick Glos Jun 01 '16 at 15:41
0

This similar question links to this Microsoft support article. Essentially you need

System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = 
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
IWebDriver webDriver = new InternetExplorerDriver();
// do your stuff here.
impersonationContext.Undo();

There's additional code in the support article about impersonating a specific user.

Community
  • 1
  • 1
Scott Rickman
  • 560
  • 5
  • 10
  • 1
    I think that's the code Dan is already using. That's the same KB article he linked to in his question. – Rup Feb 10 '15 at 18:34
  • 1
    impersonation works but the internet explorer user does not change for me. – ColacX Feb 12 '15 at 15:12
0

Do you have a couple of old PCs? Or the capacity for some virtual machines?

If so, build a Selenium Grid set-up, and configure one to automatically login as the desired domain user and one as a non-domain user.
http://code.google.com/p/selenium/wiki/Grid2

Bigwave
  • 2,166
  • 1
  • 17
  • 28
0

I was having same problem when I was doing automation project for web based application which required window authentication. However, I have achieved this with using firefox, following are the steps to achieve it.

FIREFOX SETUP

  1. OPEN RUN DIALOG OF YOUR SYSTEM AND TYPE 'firefox.exe -p' (CLOSE YOUR FIREFOX BROWSER BEFORE RUNNING THIS COMMAND) http://www.wikihow.com/Create-a-Firefox-Profile
  2. CLICK ON CREATE PROFILE AND GIVE A NAME AS REQURIED
  3. SELECT CREATED PROFILE AND START BROWSER AND OPEN ADD-ONS MANAGER (TOOLS - ADD-ONS)
  4. SEARCH FOR 'AutoAuth' AND INSTALL IT. IT WILL ASK FOR RESTART, DO IT
  5. ONCE THE FIREFOX IS RESTARTED, THAN OPEN URL IT WILL ASK YOU FOR AUTHENTICATION
  6. ENTER USERNAME AND PASSWORD - SUBMIT IT, FIREFOX WILL ASK YOU TO REMEMBER THE PASSWORD
  7. CLICK ON REMEMBER AND IT WILL SAVE THE PASSWORD IN FIREFOX PROFILE
  8. COPY CREATED FIREFOX PROFILE AND SAVE IT TO REQUIRED FOLDER
  9. IN YOUR SELENIUM SCRIPT CALL ABOVE CREATED PROFILE WITH FIREFOX DRIVER AND PASS THE SAME URL, IT WILL NOT ASK FOR AUTHENTICATION DIALOG

This is working very successfully in my project.

Karim Narsindani
  • 434
  • 3
  • 14
  • 38
0

We use https://stackoverflow.com/a/31540010/3489693 approach for IE and Chrome over 2 years. It works fine

Community
  • 1
  • 1
mdementev
  • 145
  • 10
0

So it seems the problem that the question is trying to circumvent has to do with NTLM Auto Login. See Google Chrome and NTLM Auto Login Using Windows Authentication

The solutions above did not work for me since the auto-login would successfully authenticate with any user on my system, so it didn't matter which user I used for impersonation.

However, I noticed that you can outsmart auto-login by replacing localhost with any other domain name, such as the local IP address. No impersonation required :)

bgh
  • 1,986
  • 1
  • 27
  • 36
0

This may / may not work.

  • Try to launch your site in "CHROME".
  • Hit F-12, go to Application Tab -> Cookies -> Click on your site link. on left hand side look for something that represent your session id, may be JSESSIONID or similar that represents user's session, copy that.
  • Now open your Internet Explorer,
  • hit F-12 and manually create that JSESSIONID ( or similar key ) by running this command in console window

document.cookie = "JSESSIONID=your-session-id-from-chrome"

  • hit play button to execute script
  • Refresh your browser
ATHER
  • 3,254
  • 5
  • 40
  • 63