cntlm – Proxy returning invalid challenge

After setting up Cntlm on my new MAC at work and trying it for the first time I’ve got a “Proxy returning invalid challenge” error.

Corporate proxy at one of the customers requires NTLM authentication, and while that is not a  “problem” when using a browser or some other “desktop” apps, it is more complicated to use when you need to access the internet from the command line. So in this case I am using Cntlm, which is set up as a local proxy and it uses your credentials to authenticate against the corporate proxy that is using NTLM authentication.

What bedazzled me about the “Proxy returning invalid challenge” error is that I’ve copied a working configuration from my old machine.

After some unfruitful googling I’ve decided to run Cntlm in verbose mode to see what is happening in there

So started cntlm by /usr/local/bin/cntlm -v , That will print out the configuration been used and will be waiting for any requests to be sent via the proxy

myuser@MyHost ~ % /usr/local/bin/cntlm -v
section: global, Username = 'myuser'
section: global, Domain = 'MyDomain'
section: global, PssLM = 'SOMELONGHASH1'
section: global, PassNT = 'SOMELONGHASH2'
section: global, PassNTLMv2 = 'SOMELONGHASH3'
section: global, Proxy = 'corporate_proxy:8080'
section: global, NoProxy = 'localhost, 127.0.0.*, 10.*, 192.168.*, *.local, *.mydomain'
section: global, Listen = '3128'
Default config file opened successfully
Mar 23 09:56:21  cntlm[49863] : Proxy listening on 127.0.0.1:3128
Adding no-proxy for: 'localhost'
Adding no-proxy for: '127.0.0.*'
Adding no-proxy for: '10.*'
Adding no-proxy for: '192.168.*'
Adding no-proxy for: '*.local'
Mar 23 09:56:21  cntlm[49863] : Ignoring config file option: PssLM
Mar 23 09:56:21  cntlm[49863] : Workstation name used: cntlm
Mar 23 09:56:21  cntlm[49863] : Using following NTLM hashes: NTLMv2(1) NT(0) LM(0)
Mar 23 09:56:21  cntlm[49863] : Cntlm ready, staying in the foreground

Now when I try to make a curl call to ec2.ap-southeast-2.amazonaws.com:443  , I see the dreadful cntlm[49863] : Proxy returning invalid challenge!  error

******* Round 1 C: 4 *******
Reading headers (4)...
HEAD: CONNECT ec2.ap-southeast-2.amazonaws.com:443 HTTP/1.1
   NO: ec2.ap-southeast-2.amazonaws.com (localhost)
   NO: ec2.ap-southeast-2.amazonaws.com (127.0.0.*)
   NO: ec2.ap-southeast-2.amazonaws.com (10.*)
   NO: ec2.ap-southeast-2.amazonaws.com (192.168.*)
   NO: ec2.ap-southeast-2.amazonaws.com (*.local)
   NO: ec2.ap-southeast-2.amazonaws.com (*.mydomain)
Thread processing...
Mar 23 09:56:29  cntlm[49863] : Using proxy corporate_proxy:8080
Mar 23 09:56:29  cntlm[49863] : Resolving proxy corporate_proxy...
Resolve corporate_proxy:
  -> 10.x.x.x
Host                           => ec2.ap-southeast-2.amazonaws.com:443
User-Agent                     => curl/7.64.1
Proxy-Connection               => Keep-Alive
Mar 23 09:56:29  cntlm[49863] : 127.0.0.1 CONNECT ec2.ap-southeast-2.amazonaws.com:443
NTLM Request:
	   Domain: MyDomain
	 Hostname: cntlm
	    Flags: 0xA208B205

Sending PROXY auth request...
Host                           => ec2.ap-southeast-2.amazonaws.com:443
User-Agent                     => curl/7.64.1
Proxy-Connection               => keep-alive
Proxy-Authorization            => NTLM SOMELONGHASH4
Content-Length                 => 0

Reading PROXY auth response...
HEAD: HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate             => NTLM
Cache-Control                  => no-cache
Pragma                         => no-cache
Content-Type                   => text/html; charset=utf-8
Proxy-Connection               => close
Connection                     => close
Content-Length                 => 1364
Discarding 1364 bytes.
Mar 23 09:56:29  cntlm[49863] : Proxy returning invalid challenge!
Sending headers (5)...
Host                           => ec2.ap-southeast-2.amazonaws.com:443
User-Agent                     => curl/7.64.1
Proxy-Connection               => keep-alive
headers_send: fd 5 warning -999 (connection closed)
forward_request: palive=0, authok=0, ntlm=0, closed=1

Thread finished.
proxy_thread: request rc = 0xffffffffffffffff
Joining thread 123145552543744; rc: 0
^@^@^@

That didn’t really help me so I’ve done the same on the old machine and compared the results.

And the main difference was that  on the old machine I had a proper Hostname value

NTLM Request:
	   Domain: MyDomain
	 Hostname: MyHost
	    Flags: 0xA208B205

Vs cntlm  on the new one

NTLM Request:
	   Domain: MyDomain
	 Hostname: cntlm
	    Flags: 0xA208B205

So for some reason, Cntlm didn’t pick up the hostname, and as a result, the Corporate proxy response was not usable.

After discovering that I’ve run Cntlm with -w  flag, like this /usr/local/bin/cntlm -v -w MyHost and that has worked!!

but I don’t want to bother with specifying the hostname each time I start Cntlm, so I’ve added it to Cntlm’s configuration file ( /usr/local/etc/cntlm.conf  in my case) using the “Workstation” parameter

# Specify the netbios hostname cntlm will send to the parent
# proxies. Normally the value is auto-guessed.
#
# Workstation   netbios_hostname

Workstation MyHost

It did the trick and I am a happy Cntlm user again :-).

I am not sure why Cntlm managed to “auto-guess” the value on the old machine (if you remember, I’ve copied the config like for like) while it didn’t on the new one but trying to understand that was not a priority for me as I finally could get back to work.

2 thoughts on “cntlm – Proxy returning invalid challenge”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.