cntlm – Proxy returning invalid challenge

After setting up Cntlm on my new MAC at work and trying it for the first time I’ve got a “Proxy returning invalid challenge” error.

Corporate proxy at one of the customers requires NTLM authentication, and while that is not a  “problem” when using a browser or some other “desktop” apps, it is more complicated to use when you need to access internet from command line. So in this case I am using Cntlm, which is set-up as a local proxy and it uses your credentials to authenticate against the corporate proxy that is using NTLM authentication .

What bedazzled me about the “Proxy returning invalid challenge” error is that I’ve copied a working configuration from my old machine.

After a some unfruitful googling I’ve decided to run Cntlm in verbose mode to see what is happening in there

So started cntlm by /usr/local/bin/cntlm -v , That will print out the used configuration and will be waiting for any requests to be sent via proxy

myuser@MyHost ~ % /usr/local/bin/cntlm -v
section: global, Username = 'myuser'
section: global, Domain = 'MyDomain'
section: global, PssLM = 'SOMELONGHASH1'
section: global, PassNT = 'SOMELONGHASH2'
section: global, PassNTLMv2 = 'SOMELONGHASH3'
section: global, Proxy = 'corporate_proxy:8080'
section: global, NoProxy = 'localhost, 127.0.0.*, 10.*, 192.168.*, *.local, *.mydomain'
section: global, Listen = '3128'
Default config file opened successfully
Mar 23 09:56:21  cntlm[49863] : Proxy listening on 127.0.0.1:3128
Adding no-proxy for: 'localhost'
Adding no-proxy for: '127.0.0.*'
Adding no-proxy for: '10.*'
Adding no-proxy for: '192.168.*'
Adding no-proxy for: '*.local'
Mar 23 09:56:21  cntlm[49863] : Ignoring config file option: PssLM
Mar 23 09:56:21  cntlm[49863] : Workstation name used: cntlm
Mar 23 09:56:21  cntlm[49863] : Using following NTLM hashes: NTLMv2(1) NT(0) LM(0)
Mar 23 09:56:21  cntlm[49863] : Cntlm ready, staying in the foreground

Now when I try to make a curl call to ec2.ap-southeast-2.amazonaws.com:443  , I see the dreadful cntlm[49863] : Proxy returning invalid challenge!  error

******* Round 1 C: 4 *******
Reading headers (4)...
HEAD: CONNECT ec2.ap-southeast-2.amazonaws.com:443 HTTP/1.1
   NO: ec2.ap-southeast-2.amazonaws.com (localhost)
   NO: ec2.ap-southeast-2.amazonaws.com (127.0.0.*)
   NO: ec2.ap-southeast-2.amazonaws.com (10.*)
   NO: ec2.ap-southeast-2.amazonaws.com (192.168.*)
   NO: ec2.ap-southeast-2.amazonaws.com (*.local)
   NO: ec2.ap-southeast-2.amazonaws.com (*.mydomain)
Thread processing...
Mar 23 09:56:29  cntlm[49863] : Using proxy corporate_proxy:8080
Mar 23 09:56:29  cntlm[49863] : Resolving proxy corporate_proxy...
Resolve corporate_proxy:
  -> 10.x.x.x
Host                           => ec2.ap-southeast-2.amazonaws.com:443
User-Agent                     => curl/7.64.1
Proxy-Connection               => Keep-Alive
Mar 23 09:56:29  cntlm[49863] : 127.0.0.1 CONNECT ec2.ap-southeast-2.amazonaws.com:443
NTLM Request:
	   Domain: MyDomain
	 Hostname: cntlm
	    Flags: 0xA208B205

Sending PROXY auth request...
Host                           => ec2.ap-southeast-2.amazonaws.com:443
User-Agent                     => curl/7.64.1
Proxy-Connection               => keep-alive
Proxy-Authorization            => NTLM SOMELONGHASH4
Content-Length                 => 0

Reading PROXY auth response...
HEAD: HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate             => NTLM
Cache-Control                  => no-cache
Pragma                         => no-cache
Content-Type                   => text/html; charset=utf-8
Proxy-Connection               => close
Connection                     => close
Content-Length                 => 1364
Discarding 1364 bytes.
Mar 23 09:56:29  cntlm[49863] : Proxy returning invalid challenge!
Sending headers (5)...
Host                           => ec2.ap-southeast-2.amazonaws.com:443
User-Agent                     => curl/7.64.1
Proxy-Connection               => keep-alive
headers_send: fd 5 warning -999 (connection closed)
forward_request: palive=0, authok=0, ntlm=0, closed=1

Thread finished.
proxy_thread: request rc = 0xffffffffffffffff
Joining thread 123145552543744; rc: 0
^@^@^@

 

That didn’t really help me so I’ve done the same on the old machine and compared the results.

And the main difference was that  on old machine I’ve had a proper Hostname value

NTLM Request:
	   Domain: MyDomain
	 Hostname: MyHost
	    Flags: 0xA208B205

Vs cntlm  on the new one

NTLM Request:
	   Domain: MyDomain
	 Hostname: cntlm
	    Flags: 0xA208B205

So for some reason Cntlm didn’t pick up the hostname, and as a result the Corporate proxy response was not usable.

After discovering that I’ve run Cntlm with -w  flag, like this /usr/local/bin/cntlm -v -w MyHost  and that has worked!!

but I don’t want to bother with specifying the hostname each time I start Cntlm, so I’ve added it to Cntlm’s configuration file ( /usr/local/etc/cntlm.conf  in my case) using the “Workstation” parameter

# Specify the netbios hostname cntlm will send to the parent
# proxies. Normally the value is auto-guessed.
#
# Workstation   netbios_hostname
Workstation     MyHost

It did the trick and I am happy Cntlm user again :-).

I am not sure why Cntlm managed to “auto-guess” the value on old machine (if you remember, I’ve copied the config like for like) while it didn’t on the new one, but trying to understand that was not a priority for me as I finally could get back to work.

2 thoughts on “cntlm – Proxy returning invalid challenge”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.