Stress testing is hard; accurately simulating large numbers of unique users exercising your application is difficult at the best of times. Add Integrated Windows Authentication to the mix and you have all new problems.
My current project deals with developing a straightforward internal web app for a client (ASP.Net MVC, Castle ActiveRecord/NHibernate, IIS 6). Nothing too crazy. When it came time for stress testing, I immediately turned to Apache JMeterfor simple stress test scripts.
Only one problem: the integrated window authentication. No login page. No forms to submit. Just behind the scenes NTLM and Kerberos handshakes. Lots of websites say that JMeter supports NTLM, but few mention actually getting it to work.
Below are 4 tips which were invaluable in getting things setup and working ...
>> Store user specific data in an external file
In order to manage user specific test data (e.g. request parameters, login credentials, user preferences, etc) consider moving this data into a separate file external to the JMeter test plan. By moving this data out of the test plan it can be easily changed by anyone and adjusted to fit a variety of test scenarios. It is also a lot easier to look at 100+ users worth of data in Excel than JMeter.
We ended up using the CVS Data Set config element to store all of our per-user data such as login usernames and request parameters. The element allowed each thread (user) to have individualized data set to properties within JMeter.
Note: If the Sharing Mode property is set to All Threads, each time a thread starts it will grab the next available row in the .csv file. This means that Thread-1 may not always get the 1st row of data.
If the threads repeat their actions multiple times, they may grab a different row on their subsequent runs. Also, if you create more threads than data rows, the rows will be reused starting at the top.
>> Setup each thread to authenticate as a different unique user
In order to accurately simulate our users, we needed each thread to login with different credentials; we didn't want test users stepping on each other.
By placing an HTTP Authorization Manager config element within the thread group element and storing login credentials in our .csv data file, each user was able to login with different and unique windows credentials.
Note: Make sure that the Base URL property is set to the url of your test server (including http://) and that the windows domain is set.
>> Do NOT use the normal Request sampler
The "normal" http request sampler found in all of the tutorials does NOT use the Apache HTTPClient library under the covers and does not support NTLM. No matter how much you try, it won't use the windows credentials you give it.
Instead, use the HTTP Request HTTPClient sampler. The names are very similar, but the behavior is not. This change was key to getting the tests to send the proper NTLM handshake back to the server.
>> Disable preemptive sending of credentials
If you are using the correct request sampler, JMeter will know how to send credentials back to the server. Unfortunately, it sends the credentials of the currently logged in user back, NOT the ones configured in the Authorization Manager.
In order to have your configured credentials set, modify the jmeter.properties and httpclient.parameters files to disable preemptive sending of credentials (notes on what to change can be found here).
** A sample JMeter test plan (.jmx) file can be found here which includes several of these tips and was the basis for our test scripts. **