cntlm: Proxy returning invalid challenge

Amedee Van Gasse (ub) amedee-ubuntu at amedee.be
Tue Oct 12 09:55:31 UTC 2010 

On Mon, October 11, 2010 20:44, Amedee Van Gasse (ub) wrote:
> I'm taking evening classes Java. The internet connection is protected with
> an ISA server. We got the proxy server, port, login and password from the
> teacher.
> My fellow students all have Windows on their laptop and have no problem to
> get online with their browser.
>
> For me it doesn't work because it appears that ISA requires NTLM
> authentication. I installed and configured cntlm but it still doesn't
> work.
>
> This is my /etc/cntlm.conf (comments stripped):
>
>
> Username	username
> Password	password
> Proxy		192.168.5.253:8080
> NoProxy		localhost, 127.0.0.*, 10.*, 192.168.*
> Listen		3128
>
>
>
> When I run 'sudo /usr/sbin/cntlm -v', I get the following output:
>
>
> section: global, Username = 'username'
> section: global, Password = 'password'
> section: global, Proxy = '192.168.5.253:8080'
> section: global, NoProxy = 'localhost, 127.0.0.*, 10.*, 192.168.*'
> section: global, Listen = '3128'
> Default config file opened successfully
> cntlm: Proxy listening on 127.0.0.1:3128
> cntlm: Resolving proxy 192.168.5.253...
> Adding no-proxy for: 'localhost'
> Adding no-proxy for: '127.0.0.*'
> Adding no-proxy for: '10.*'
> Adding no-proxy for: '192.168.*'
> cntlm: Workstation name used: deagol
> cntlm: Using following NTLM hashes: NTLMv2(1) NT(0) LM(0)
> cntlm[2685]: Cntlm ready, staying in the foreground
>
> ******* Round 1 C: 5 *******
> Reading headers (5)...
> HEAD: GET http://leerstad.be/ HTTP/1.1
>    NO: leerstad.be (localhost)
>    NO: leerstad.be (127.0.0.*)
>    NO: leerstad.be (10.*)
>    NO: leerstad.be (192.168.*)
> Thread processing...
> Host                           => leerstad.be
> User-Agent                     => Mozilla/5.0 (X11; U; Linux i686; nl;
> rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10
> Accept                         =>
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language                => nl,en-us;q=0.7,en;q=0.3
> Accept-Encoding                => gzip,deflate
> Accept-Charset                 => ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive                     => 115
> Proxy-Connection               => keep-alive
> Cache-Control                  => max-age=0
> cntlm[2343]: 127.0.0.1 GET http://leerstad.be/
> NTLM Request:
> 	   Domain:
> 	 Hostname: deagol
> 	    Flags: 0xA208B205
>
> Sending PROXY auth request...
> Host                           => leerstad.be
> User-Agent                     => Mozilla/5.0 (X11; U; Linux i686; nl;
> rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10
> Accept                         =>
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language                => nl,en-us;q=0.7,en;q=0.3
> Accept-Encoding                => gzip,deflate
> Accept-Charset                 => ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive                     => 115
> Proxy-Connection               => keep-alive
> Cache-Control                  => max-age=0
> Proxy-Authorization            => NTLM
> TlRMTVNTUAABAAAABbIIogAAAAAmAAAABgAGACAAAABERUFHT0w=
> Content-Length                 => 0
>
> Reading PROXY auth response...
> HEAD: HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires
> authorization to fulfill the request. Access to the Web Proxy filter is
> denied.  )
> Via                            => 1.1 SERV-PROXY
> Proxy-Authenticate             => Negotiate
> Proxy-Authenticate             => Kerberos
> Proxy-Authenticate             => NTLM
> Connection                     => close
> Proxy-Connection               => close
> Pragma                         => no-cache
> Cache-Control                  => no-cache
> Content-Type                   => text/html
> Content-Length                 => 4118
> Discarding 4118 bytes.
> cntlm[2343]: Proxy returning invalid challenge!
> Sending headers (6)...
> Host                           => leerstad.be
> User-Agent                     => Mozilla/5.0 (X11; U; Linux i686; nl;
> rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10
> Accept                         =>
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language                => nl,en-us;q=0.7,en;q=0.3
> Accept-Encoding                => gzip,deflate
> Accept-Charset                 => ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive                     => 115
> Proxy-Connection               => keep-alive
> Cache-Control                  => max-age=0
> headers_send: fd 6 warning -999 (connection closed)
> forward_request: palive=0, authok=0, ntlm=0, closed=1
>
> Thread finished.
> proxy_thread: request rc = ffffffff
> Joining thread 3079035760; rc: 0
>
>
>
> Username is correct, password is correct, proxy server is correct, domain
> is not needed. What else did I get wrong?


FYI.
At school I have a time window of 4 hours/week to debug this issue.
But at work we also have ISA, and there I see the same cntlm problem. That
gives me a time window of 40 hours/week to troubleshoot.

At work the proxy address, username and password are of course different,
and this time I also have a domain. Still no connection, still Proxy
Authentication Required.

I know that the proxy, user, domain, password are correct because it works
if I fill them in directly in the network settings of Synaptic or Firefox.

I use version 0.91~rc6-0ubuntu1.

-- 
Amedee

More information about the ubuntu-users mailing list