#19 Unable to authenticate, getting 407 unauthorized error

Milestone: v1.0 (example)

Status: open

Owner: nobody

Labels: None

Priority: 1

Updated: 2019-02-05

Created: 2019-02-01

Creator: Tammy

Private: No

hello team,

i'm getting authentication error even including my username and password, same credentials work if i'm usnig a Windows machine to authenticate against same proxy. below is my config from /etc/cntlm.conf and snippet of the log.

Cntlm Authentication Proxy Configuration

NOTE: all values are parsed literally, do NOT escape spaces,

do not quote. Use 0600 perms if you use plaintext password.

Password

NOTE: Use plaintext password only at your own risk

Use hashes instead. You can use a "cntlm -M" and "cntlm -H"

command sequence to get the right config for your environment.

See cntlm man page

Example secure config shown below.

PassLM 1AD35398BE6565DDB5C4EF70C0593492

PassNT 77B9081511704EE852F94227CF48A793

Only for user 'testuser', domain 'corp-uk'

PassNTLMv2 D5826E9C665C37C80B53397D5C07BBCB

Username **
Domain AD
Auth NTLM

PassLM 15DB0857E10A95F6E058C518BAF4FFCC

PassNT AB40280C3FB6D4E2901475A5AEA6C6A7

PassNTLMv2 CAD73297489080DB75931FA3C435FD4D

Specify the netbios hostname cntlm will send to the parent

proxies. Normally the value is auto-guessed.

Workstation netbios_hostname

List of parent proxies to use. More proxies can be defined

one per line in format <proxy_ip>:<proxy_port></proxy_port></proxy_ip>

Proxy *****
Proxy *****
Proxy ********

List addresses you do not want to pass to parent proxies

* and ? wildcards can be used

NoProxy localhost, 127.0.0., 10., 192.168.*

Specify the port cntlm will listen on

You can bind cntlm to specific interface by specifying

the appropriate IP address also in format <local_ip>:<local_port></local_port></local_ip>

Cntlm listens on 127.0.0.1:3128 by default

Listen 3128

If you wish to use the SOCKS5 proxy feature as well, uncomment

the following option. It can be used several times

to have SOCKS5 on more than one port or on different network

interfaces (specify explicit source address for that).

WARNING: The service accepts all requests, unless you use

SOCKS5User and make authentication mandatory. SOCKS5User

can be used repeatedly for a whole bunch of individual accounts.

SOCKS5Proxy 8010

SOCKS5User dave:password

Use -M first to detect the best NTLM settings for your proxy.

Default is to use the only secure hash, NTLMv2, but it is not

as available as the older stuff.

This example is the most universal setup known to man, but it

uses the weakest hash ever. I won't have it's usage on my

conscience. :) Really, try -M first.

Auth LM

Flags 0x06820000

Enable to allow access from other computers

Gateway yes

Useful in Gateway mode to allow/restrict certain IPs

Specifiy individual IPs or subnets one rule per line.

Allow 127.0.0.1

Deny 0/0

GFI WebMonitor-handling plugin parameters, disabled by default

ISAScannerSize 1024

ISAScannerAgent Wget/
ISAScannerAgent APT-HTTP/
ISAScannerAgent Yum/

Headers which should be replaced if present in the request

Header User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

Tunnels mapping local port to a machine behind the proxy.

The format is <local_port>:<remote_host>:<remote_port></remote_port></remote_host></local_port>

Tunnel 11443:remote.com:443

pleae note that our proxy server uses following format: http://<proxy_address>:port/proxy.pac</proxy_address>

[root@smart-750-vss1 tmp]# cntlm -M http://www.cibc.com
Password:
Config profile 1/4... Credentials rejected
Config profile 2/4... Credentials rejected
Config profile 3/4... Credentials rejected
Config profile 4/4... Credentials rejected

Wrong credentials, invalid URL or proxy doesn't support NTLM nor BASIC.

Discussion

Tammy - 2019-02-05

can we get an update on this support request please? thanks

If you would like to refer to this comment somewhere else in this project, copy and paste the following link: