Experiences in installing and configuring cntlm

For Network Proxy environments that use NTLM for authentication (that is, in addition to the proxy host and port, the domain user and password must be provided, accessing the Internet via proxy is a headache, mainly because many software does not support NTLM Authentication Proxy (for example, the current git does not support NTLM authentication, even if the domain account and password are specified in the proxy, the following error message is still reported during the connection: Ed ed HTTP code 407 from proxy after connect, indicating that the verification has not passed ), if such a tool can encapsulate NTLM authentication and then provide common HTTP Proxy services to external users, third-party applications can access the network by configuring common proxies. This is cntlm (official website of the project: http://cntlm.sourceforge.net/) to solve the problem! Because cntlm also has a Linux version, it means that the network proxy that passes NTLM authentication on the Linux system is also feasible. Source of the original article: http://blog.csdn.net/bluishglc/article/details/37600773 prohibit any form of reprint, otherwise it will entrust csdn official maintenance rights!

Configuration
After downloading and installing cntlm, you only need to modify the cntlm. ini file, provide the necessary information for identity authentication, and then start cntlm as a service. The following important configurations in cntlm. ini may need to be modified:

• Username-Your domain/Proxy account name

• Domain-The actual Domain Name

• Workstation-NetBIOS Name of your workstation; cntlm tries to autodetect it, but you might want to set it explicitly shoshould dialect detection fail (see below)

• Proxy-IP address (or ping-able hostname) of your proxy; if you use several alternative proxies or know of backup ones, use this option multiple times; if one stops working, cntlm will move on to the next

• Listen-Local port number which cntlm shoshould bind to; the default is OK, but remember you can't have more than one application per port; you can use netstat to list used up ports (lines with listen)

The listen configuration item is the port that cntlm will open locally as a common proxy. If my windows domain is ABC, my account is Laurence, the password is 123, and the proxy server is 192.168.0.1: 80, then cntlm. INI should be configured as follows:

## Cntlm Authentication Proxy Configuration## NOTE: all values are parsed literally, do NOT escape spaces,# do not quote. Use 0600 perms if you use plaintext password.#UsernamelaurenceDomainabcPassword123# NOTE: Use plaintext password only at your own risk# Use hashes instead. You can use a "cntlm -M" and "cntlm -H"# command sequence to get the right config for your environment.# See cntlm man page# Example secure config shown below.# PassLM          1AD35398BE6565DDB5C4EF70C0593492# PassNT          77B9081511704EE852F94227CF48A793### Only for user ‘testuser‘, domain ‘corp-uk‘# PassNTLMv2      D5826E9C665C37C80B53397D5C07BBCB# Specify the netbios hostname cntlm will send to the parent# proxies. Normally the value is auto-guessed.## Workstationnetbios_hostname# List of parent proxies to use. More proxies can be defined# one per line in format <proxy_ip>:<proxy_port>#Proxy192.168.0.1:80# List addresses you do not want to pass to parent proxies# * and ? wildcards can be used#NoProxylocalhost, 127.0.0.*, 10.*, 192.168.*# Specify the port cntlm will listen on# You can bind cntlm to specific interface by specifying# the appropriate IP address also in format <local_ip>:<local_port># Cntlm listens on 127.0.0.1:3128 by default#Listen3128# If you wish to use the SOCKS5 proxy feature as well, uncomment# the following option. It can be used several times# to have SOCKS5 on more than one port or on different network# interfaces (specify explicit source address for that).## WARNING: The service accepts all requests, unless you use# SOCKS5User and make authentication mandatory. SOCKS5User# can be used repeatedly for a whole bunch of individual accounts.##SOCKS5Proxy8010#SOCKS5Userdave:password# Use -M first to detect the best NTLM settings for your proxy.# Default is to use the only secure hash, NTLMv2, but it is not# as available as the older stuff.## This example is the most universal setup known to man, but it# uses the weakest hash ever. I won‘t have it‘s usage on my# conscience. :) Really, try -M first.##AuthLM#Flags0x06820000# Enable to allow access from other computers##Gatewayyes# Useful in Gateway mode to allow/restrict certain IPs# Specifiy individual IPs or subnets one rule per line.##Allow127.0.0.1#Deny0/0# GFI WebMonitor-handling plugin parameters, disabled by default##ISAScannerSize     1024#ISAScannerAgent    Wget/#ISAScannerAgent    APT-HTTP/#ISAScannerAgent    Yum/# Headers which should be replaced if present in the request##HeaderUser-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)# Tunnels mapping local port to a machine behind the proxy.# The format is <local_port>:<remote_host>:<remote_port># #Tunnel11443:remote.com:443

Use the default port 3128 for the listening port. We can verify whether the configuration is correct through the command:

Cntlm-C/path/to/cntlm. ini-I-m http://www.baidu.com

If the returned result is normal, the configuration items are correct. Then, you can start the cntlm service and run it in the background. Run the following command:

Net start cntlm

After the service is started, we can set the proxy server 127.0.0.1 (Local Machine) and the proxy server port 3128 (cntlm. the listen port configured in the INI file)

Logs and Common Errors
The vast majority of cntlm errors indicate that the service cannot be started. There are many specific causes. Fortunately, cntlm has good log information to help us find the root cause of the problem. The method to view the cntlm log is as follows: start-> Settings-> Control Panel-> Administrative Tools-> Event Viewer, and select windows logs-> application from the directory tree on the left-side Navigation Pane, configure the considerations in the right panel and set the event source to cntlm to filter out all the cntlm logs.

Here we will introduce two possible errors:

1. cntlm: pid xxxx: possible duplicate cygwin1.dll:/socat-1.7.2.1/cygwin1.dll.



Errors like this are caused by cygwin1.dll conflicts. Multiple tools will carry their own cygwin1.dll. if the version is incompatible, the above error will be reported. The simplest way is to remove them first.

2. cntlm: parent proxy address missing



This is an easy-to-mislead error, if in most cases it is not because you are in the cntlm. the proxy is incorrectly specified in ini, but cntlm is not found at the startup of the cntlm program. INI file, one of the possible causes of this problem is to modify the default installation directory when installing cntlm, which should be a bug of cntlm. I don't know whether the-C parameter is valid on the configuration page (Control Panel> Administrative Tools> services) of cntlm Service Startup. If you are interested, try it, I fixed the problem by reinstalling cntlm according to the default configuration.