After setting up Cntlm on my new MAC at work and trying it for the first time I’ve got a “Proxy returning invalid challenge” error.
Corporate proxy at one of the customers requires NTLM authentication, and while that is not a “problem” when using a browser or some other “desktop” apps, it is more complicated to use when you need to access the internet from the command line. So in this case I am using Cntlm, which is set up as a local proxy and it uses your credentials to authenticate against the corporate proxy that is using NTLM authentication.
What bedazzled me about the “Proxy returning invalid challenge” error is that I’ve copied a working configuration from my old machine.
After some unfruitful googling I’ve decided to run Cntlm in verbose mode to see what is happening in there
So started cntlm by /usr/local/bin/cntlm -v , That will print out the configuration been used and will be waiting for any requests to be sent via the proxy
myuser@MyHost ~ % /usr/local/bin/cntlm -v section: global, Username = 'myuser' section: global, Domain = 'MyDomain' section: global, PssLM = 'SOMELONGHASH1' section: global, PassNT = 'SOMELONGHASH2' section: global, PassNTLMv2 = 'SOMELONGHASH3' section: global, Proxy = 'corporate_proxy:8080' section: global, NoProxy = 'localhost, 127.0.0.*, 10.*, 192.168.*, *.local, *.mydomain' section: global, Listen = '3128' Default config file opened successfully Mar 23 09:56:21 cntlm : Proxy listening on 127.0.0.1:3128 Adding no-proxy for: 'localhost' Adding no-proxy for: '127.0.0.*' Adding no-proxy for: '10.*' Adding no-proxy for: '192.168.*' Adding no-proxy for: '*.local' Mar 23 09:56:21 cntlm : Ignoring config file option: PssLM Mar 23 09:56:21 cntlm : Workstation name used: cntlm Mar 23 09:56:21 cntlm : Using following NTLM hashes: NTLMv2(1) NT(0) LM(0) Mar 23 09:56:21 cntlm : Cntlm ready, staying in the foreground
Now when I try to make a curl call to ec2.ap-southeast-2.amazonaws.com:443 , I see the dreadful cntlm : Proxy returning invalid challenge! error
******* Round 1 C: 4 ******* Reading headers (4)... HEAD: CONNECT ec2.ap-southeast-2.amazonaws.com:443 HTTP/1.1 NO: ec2.ap-southeast-2.amazonaws.com (localhost) NO: ec2.ap-southeast-2.amazonaws.com (127.0.0.*) NO: ec2.ap-southeast-2.amazonaws.com (10.*) NO: ec2.ap-southeast-2.amazonaws.com (192.168.*) NO: ec2.ap-southeast-2.amazonaws.com (*.local) NO: ec2.ap-southeast-2.amazonaws.com (*.mydomain) Thread processing... Mar 23 09:56:29 cntlm : Using proxy corporate_proxy:8080 Mar 23 09:56:29 cntlm : Resolving proxy corporate_proxy... Resolve corporate_proxy: -> 10.x.x.x Host => ec2.ap-southeast-2.amazonaws.com:443 User-Agent => curl/7.64.1 Proxy-Connection => Keep-Alive Mar 23 09:56:29 cntlm : 127.0.0.1 CONNECT ec2.ap-southeast-2.amazonaws.com:443 NTLM Request: Domain: MyDomain Hostname: cntlm Flags: 0xA208B205 Sending PROXY auth request... Host => ec2.ap-southeast-2.amazonaws.com:443 User-Agent => curl/7.64.1 Proxy-Connection => keep-alive Proxy-Authorization => NTLM SOMELONGHASH4 Content-Length => 0 Reading PROXY auth response... HEAD: HTTP/1.1 407 Proxy Authentication Required Proxy-Authenticate => NTLM Cache-Control => no-cache Pragma => no-cache Content-Type => text/html; charset=utf-8 Proxy-Connection => close Connection => close Content-Length => 1364 Discarding 1364 bytes. Mar 23 09:56:29 cntlm : Proxy returning invalid challenge! Sending headers (5)... Host => ec2.ap-southeast-2.amazonaws.com:443 User-Agent => curl/7.64.1 Proxy-Connection => keep-alive headers_send: fd 5 warning -999 (connection closed) forward_request: palive=0, authok=0, ntlm=0, closed=1 Thread finished. proxy_thread: request rc = 0xffffffffffffffff Joining thread 123145552543744; rc: 0 ^@^@^@
That didn’t really help me so I’ve done the same on the old machine and compared the results.
And the main difference was that on the old machine I had a proper Hostname value
NTLM Request: Domain: MyDomain Hostname: MyHost Flags: 0xA208B205
Vs cntlm on the new one
NTLM Request: Domain: MyDomain Hostname: cntlm Flags: 0xA208B205
So for some reason, Cntlm didn’t pick up the hostname, and as a result, the Corporate proxy response was not usable.
After discovering that I’ve run Cntlm with -w flag, like this /usr/local/bin/cntlm -v -w MyHost and that has worked!!
but I don’t want to bother with specifying the hostname each time I start Cntlm, so I’ve added it to Cntlm’s configuration file ( /usr/local/etc/cntlm.conf in my case) using the “Workstation” parameter
# Specify the netbios hostname cntlm will send to the parent # proxies. Normally the value is auto-guessed. # # Workstation netbios_hostname
It did the trick and I am a happy Cntlm user again :-).
I am not sure why Cntlm managed to “auto-guess” the value on the old machine (if you remember, I’ve copied the config like for like) while it didn’t on the new one but trying to understand that was not a priority for me as I finally could get back to work.