cntlm: Proxy returning invalid challenge

[Amedee Van Gasse]

On Mon, October 18, 2010 16:49, sktsee wrote:

> 1. Fire up wireshark and capture the auth negotiation between your
> machine and the ISA server. Wireshark has expert analysis for a lot of
> differnent protocols, so maybe it will provide a clue as to why the auth
> is failing.

Ok I will do that first.

> 2. Try ntlmaps. The package description for ntlmaps says that it can
> alter the client's request headers to make it appear to the server that
> the connectign client is MS IE. Presumably, it's talking about faking the
> user-agent string of your browser. IIRC, the debug output listed in one
> of your previous messages contained a line identifying an unaltered
> Firefox/Ubuntu user-agent string being sent to the ISA server. I know
> nothing about ISA servers, but if ntlmaps has client impersonation as a
> feature, then maybe its a requirement for NTLM auth. Alternately, if you
> are really set on making cntlm work, but it doesn't have the ability to
> modify the client headers to look like MS IE, then install the User-agent
> Switcher, or Modify Headers addon to do it from the browser.

cntlm can do that too. In fact, cntlm is a complete rewrite of ntlmaps.
According to the author, cntlm should do everything that ntlmaps does, but
a lot faster.
I will keep your suggestion in mind, but I will keep it until last. I will
try the other things first.

> 3. http://forums.isaserver.org/ Dates of recently posted messages
> indicate active participation. I can't speak to forum members' expertise
> and attitude towards Linux users, though.

Attitude seems neutral, but I'm afraid that expertise isn't up to my
specific needs.

> 4. Speak with the ISA system administrator and have her/him look at the
> server logs to identify the problem? I know, I know... it seems almost
> blasphemous to the spirit of Linux DIY troubleshooting to suggest such an
> action, which is why I list it only as a last resort.

Will do, while he still owes me a favor. ;-)

-- 
Amedee