Configure Linux to use NTLM authentication proxy (ISA Server) using CNTLM


About Cntlm proxy

Quoted from the official ctnlm Website: "Cntlm is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy intended to help you break free from the chains of Microsoft proprietary world. You can use a free OS and honor our noble idea, but you can't hide. Once you're behind those cold steel bars of a corporate proxy server requiring NTLM authentication, you're done with. The same even applies to 3rd party Windows applications, which don't support NTLM natively.

Here comes Cntlm. It stands between your applications and the corporate proxy, adding NTLM authentication on-the-fly. You can specify several "parent" proxies and Cntlm will try one after another until one works. All auth'd connections are cached and reused to achieve high efficiency. Just point your apps proxy settings at Cntlm, fill in cntlm.conf (cntlm.ini) and you're ready to do. This is useful on Windows, but essential for non-Microsoft OS's.

Cntlm integrates TCP/IP port forwarding (HTTP tunneling), SOCKS5 proxy mode, standalone proxy allowing you to browse intranet as well as Internet and to access corporate web servers with NTLM protection. There are many advanced features like NTLMv2 support, password protection, password hashing, completely mutliplatform code (running on just about every architecture and OS out there) and so much more. Cntlm eats up so little resources it can be used on embedded platforms as well - it's written in plain C without any external dependencies.

Cntlm has been tested against various ISA servers, WinGate, NetCache, Squid and Tinyproxy with and without NTLM auth."

About this tutorial

This tutorial assumes you have a clean install of Debian 7.


1. Install CNTLM

Update your sources:

apt-get update

Update your installation:

apt-get upgrade

Install application:

apt-get install cntlm


2. Configure CNTLM

Once installed edit the configuration file:

nano /etc/cntlm.conf

Set username, domain, remote proxy, and address with port which local proxy will listen to. Here will listen only in local interface:

Username        testuser

Generate password hash:

cntlm -H

You will see something like this:

PassLM          7F4BB72132BAA2A01FA94BD623A70D3B
PassNT          2C27BB146F74625D159413FC1F30745F
PassNTLMv2      D3972609581D8260868ED588303F0FF0    # Only for user 'testuser', domain 'contoso'

Copy these lines to /etc/cntlm.conf


3. Configure Debian to use the CNTLM proxy:

Execute this line to configure system to use the local proxy:

export http_proxy=


4. Configure CNTLM to listen external network:

If you need to use CNTLM as a proxy server, add this line to /etc/cntlm.conf (assuming is the local address):




NTLM Info:

Share this page:

2 Comment(s)