Configure Linux to use NTLM authentication proxy (ISA Server) using CNTLM
About Cntlm proxy
Quoted from the official ctnlm sourceforge.net Website: "Cntlm is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy intended to help you break free from the chains of Microsoft proprietary world. You can use a free OS and honor our noble idea, but you can't hide. Once you're behind those cold steel bars of a corporate proxy server requiring NTLM authentication, you're done with. The same even applies to 3rd party Windows applications, which don't support NTLM natively.
Here comes Cntlm. It stands between your applications and the corporate proxy, adding NTLM authentication on-the-fly. You can specify several "parent" proxies and Cntlm will try one after another until one works. All auth'd connections are cached and reused to achieve high efficiency. Just point your apps proxy settings at Cntlm, fill in cntlm.conf (cntlm.ini) and you're ready to do. This is useful on Windows, but essential for non-Microsoft OS's.
Cntlm integrates TCP/IP port forwarding (HTTP tunneling), SOCKS5 proxy mode, standalone proxy allowing you to browse intranet as well as Internet and to access corporate web servers with NTLM protection. There are many advanced features like NTLMv2 support, password protection, password hashing, completely mutliplatform code (running on just about every architecture and OS out there) and so much more. Cntlm eats up so little resources it can be used on embedded platforms as well - it's written in plain C without any external dependencies.
Cntlm has been tested against various ISA servers, WinGate, NetCache, Squid and Tinyproxy with and without NTLM auth."
About this tutorial
This tutorial assumes you have a clean install of Debian 7.
1. Install CNTLM
Update your sources:
Update your installation:
apt-get install cntlm
2. Configure CNTLM
Once installed edit the configuration file:
Set username, domain, remote proxy, and address with port which local proxy will listen to. Here will listen only in local interface:
Username testuser Domain contoso.com Proxy 10.0.0.41:8080 Listen 127.0.0.1:3128
Generate password hash:
You will see something like this:
Password: PassLM 7F4BB72132BAA2A01FA94BD623A70D3B PassNT 2C27BB146F74625D159413FC1F30745F PassNTLMv2 D3972609581D8260868ED588303F0FF0 # Only for user 'testuser', domain 'contoso'
Copy these lines to /etc/cntlm.conf
3. Configure Debian to use the CNTLM proxy:
Execute this line to configure system to use the local proxy:
4. Configure CNTLM to listen external network:
If you need to use CNTLM as a proxy server, add this line to /etc/cntlm.conf (assuming 10.0.0.1 is the local address):
Listen 127.0.0.1:3128 Listen 10.0.0.1:3128
NTLM Info: http://en.wikipedia.org/wiki/NT_LAN_Manager