Sending NULL in "Calling workstati...

Help
2011-12-29
2013-05-23
  • Hello,

    First, let me express my gratitude for such a great software. It's incredibly useful and very well implemented.

    I was able to set it up very easily, but my proxy denied (400) me requests to OpenDNS-banned sites, while my browser (using IE proxy settings) allowed me to access them.

    I ran Wireshark to understand why that difference of behavior, and what I found was that in the NTLMSSP_NEGOTIATE phase, IE sends a Proxy-Authorization header with "Calling workstation domain" at NULL and "Calling workstation name" at NULL. Therefore, the NTLMSSP_CHALLENGE response is issued from a different Domain, and I guess that it's that Domain that let me bypass OpenDNS.

    During the NTLMSSP_AUTH phase, IE send the right "Domain name" and "Host name". It's only during the NTLMSSP_NEGOTIATE phase that IE send NULL in "Calling workstation domain" and "Calling workstation name".

    So my question is : is it possible to configure cntlm in such a way that it will send NULL in these places?

     
  • Actually, after further investigation, I noticed that the NEGOTIATE flags were different. IE sends :

    Negotiate OEM Workstation Supplied: Not set
    Negotiate OEM Domain Supplied: Not set
    Negotiate OEM: Set

    While cntlm sends:

    Negotiate OEM Workstation Supplied: Set
    Negotiate OEM Domain Supplied: Set
    Negotiate OEM: Not set

    Is there a switch for cntlm that would enable "OEM Negotiation" ?

     
  • David Kubicek
    David Kubicek
    2012-01-10

    Well, you can configure the flags that are sent, see the Flags option. But, Cntlm doesn't look at these particular bits so it will include the host name and domain name anyway. However, the other side is probably Microsoft code that should honor these bits and ignore the supplied fields when they're not signalled in the bit mask.

    Try it and let me know. If that doesn't help, I could implement an extension for you that would make this behavior optional.