NTLM Authorization Proxy Server (original) (raw)

Last updated on 22 October 2008.

Copyright (c) 2004-2006 Darry Dixon
Copyright (c) 2001-2004 Dmitry Rozmanov

[Home] [NTLM info]

WHAT IS 'NTLM Authorization Proxy Server'?

'NTLM Authorization Proxy Server' (APS) is a proxy software that allows you to authenticate via an MS Proxy Server using the proprietary NTLM protocol. Since version 0.9.5 APS has an ability to behave as a standalone proxy server and authenticate http clients at web servers using NTLM method. It can change arbitrary values in your client's request header so that those requests will look like they were created by MS IE. It is written in Python v1.5.2 language.

Main features:

• supports NTLM authentication via parent proxy server (Error 407 Proxy Authentication Required);
• supports NTLM authentication at web servers (Error 401 Access Denied/Unauthorized);
• supports translation of NTLM scheme to standard "Basic" authentication scheme;
• supports the HTTPS 'CONNECT' method for transparent tunnelling through parent proxy server;
• has ability to change arbitrary values in client's request headers;
• supports unlimited number of client connections;
• supports connections from external hosts;
• supports HTTP 1.1 persistent connections;
• stores user's credentials in config file or requests password from a console during the start time;
• supports intelligent failure detection and failover between multiple upstream proxies;

News:

**21 October 2008:**Applied all pending patches to SVN trunk, including those in the SourceForge tracker, and many from the Debian packaging. Latest trunk.tar.gz straight from SVN.

**27 January 2006:**New bugfix version on the latest stable branch - 0.9.9.0.1 (view CHANGELOG here).

NOTICE: Please be aware that the current active maintainer for the NTLM Authorization Proxy Server is now Darryl Dixon (homepage for the interested). Please use the sourceforge project page for support and feature requests, and do not bother the original author, Dmitry Rozmanov, unless absolutely necessary.

The server had been written for wget that could not pass through MS Proxy set up in our LAN. But then it turned out that even browsers can use it, so I spend some time to get it more RFC friendly and now it looks like it works with most software that can use http/https proxies.

Even distributed Intel-United Devices Cancer Research Project can be used with APS. Just use HTTPS proxy in "proxy settings" of the United Devices' software and point to your local NTLMAPS, like server - "localhost" and port - "8080" or something that you set in_server.cfg_.

View ReadMe here.

Licensing and Pricing:

'NTLM Authorization Proxy Server' is distributed under theGNU General Public License which is included in this archive (see file COPYING).
The above mean that 'NTLM Authorization Proxy Server' is pretty much free. You have to pay nothing for it.

System requirements:

Python language interpreter version 1.5.2 or higher. See www.python.org.

Current stable version:0.9.9.0.1

Current experimental version: 0.9.9.5

There are no binary files in the distribution. Thus you can use the software on any system that has Python, with minimal modifications.

NTLMAPS uses only standard modules from a Python distribution.

Download:

I recommend you to take the stable version. If you are adventurous you can try the experimental version; it's usually stable enough.

SourceForge Downloads Page contains both .zip and .tar.gz formats

What's new in 0.9.9 since 0.9.8:

• Resolution of several significant bugs.
• Ability to specify more than one upstream proxy and have ntlmaps automatically fail over between them.
• Several new configuration items, such as the ability to control the number of backlogged connections supported.

Known issues:

• With NTLM to Basic translation you have only one try to enter right credentials. If you fail then restart your browser.
• There is an issue with APS working as a standalone proxy. It serves requests from an http-client one by one and allows persistent connections, then it may receive several requests in very short time to one thread, and one of them may be to an almost dead banner site, then all the requests made after that one will be waiting till that "bad" connection will be closed due to timeout. So I suggest switching off HTTP/1.1 presistent connections in your browser when you are using APS for web (not proxy) authentication and surfing banner rich evironment.

To Do:

• Now accepting suggestions and requests: submit them at sourceforge.net

Troubleshooting:

There are two options in server.cfg DEBUG andBIN_DEBUG, if you have toubles with the server so set these options to DEBUG:1 and BIN_DEBUG:1 just before requesting a problem page (or resource). You have to restart proxy server to reread server.cfg. This will give you 3 log files per http request (per connection to be exact), like 127.0.0.1-1048,127.0.0.1-1048.bin.client and_127.0.0.1-1048.bin.rserver_. In the first one there is an info on what APS did, two others contain raw traffic from client and from proxy.

Pack them with zip or gzip and send them to me if you want me to help you.

Useful Links:

• NTLM Authentication Scheme for HTTP is the most valuable information source on NTLM that allowed APS to be created. The copy of this page is included in APS' distribution archive.
• Socks via HTTP is a program converting SOCKS requests into HTTP requests and tunnelling them through HTTP proxies if needed. It may be used with APS if you sit behind HTTP only MS Proxy. It is writen in Java so it works on any system that have Java.
• Cntlm is similar to NTLMAPS, but is written in C.

Darryl Dixon / 27 January 2006 / esrever_otua@users.sourceforge.net
Dmitry Rozmanov / 18 May 2002 / dima@xenon.spb.ru