cntlm: Proxy returning invalid challenge

Knight knightotp at
Tue Oct 12 10:27:47 UTC 2010

On Tue, 2010-10-12 at 11:55 +0200, Amedee Van Gasse (ub) wrote:
> On Mon, October 11, 2010 20:44, Amedee Van Gasse (ub) wrote:
> > I'm taking evening classes Java. The internet connection is protected with
> > an ISA server. We got the proxy server, port, login and password from the
> > teacher.
> > My fellow students all have Windows on their laptop and have no problem to
> > get online with their browser.
> >
> > For me it doesn't work because it appears that ISA requires NTLM
> > authentication. I installed and configured cntlm but it still doesn't
> > work.
> >
> > This is my /etc/cntlm.conf (comments stripped):
> >
> >
> > Username	username
> > Password	password
> > Proxy
> > NoProxy		localhost, 127.0.0.*, 10.*, 192.168.*
> > Listen		3128
> >
> FYI.
> At school I have a time window of 4 hours/week to debug this issue.
> But at work we also have ISA, and there I see the same cntlm problem. That
> gives me a time window of 40 hours/week to troubleshoot.
> At work the proxy address, username and password are of course different,
> and this time I also have a domain. Still no connection, still Proxy
> Authentication Required.
> I know that the proxy, user, domain, password are correct because it works
> if I fill them in directly in the network settings of Synaptic or Firefox.
> I use version 0.91~rc6-0ubuntu1.
> -- 
> Amedee

Hi Amedee,

A quick search brought me to this possible solution:

The last post brings a possible reason and solution.

The versions of cntlm are not the same but because of the error 407,
mentioned on the forum and in your output, could it be that you need to
set the HTTPAUTH parameter to 1 in your config file?

I have modified CNTLM v0.35.1 to do exactly that without impacting the
existing functionality. i.e. I have added support to BASIC HTTP
Authentication and it works like a charm. There is a new parameter
HTTPAUTH added in the cntlm.conf file which needs to be set to 1. The
default value is 0. If the new parameter is not set to 1 then the first
GET request will be authenticated but subsequent GETs using the same
connection will fail and will lead to a lot of traffic between the
client and the proxy.

Hope this is a match and solves the problem.
Knight Of The Post

Linux Pro or Pro Linux?!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the ubuntu-users mailing list