Login/Register
Alternative to cntlm to authenticate behind corporate proxy
Asked Answered
proxykerberosntlm
H

6

8

I'm working in a company that's using a proxy to connect to the internet. Some of my applications, especially package-managers of any kind are unable to connect to the proxy and produce 407 (Proxy Authentication required).

As a first attempt I tried setting the proxy settings manually for each application. Example:

python -m pip install six --proxy http://user:pass@proxy:port

That did not help.

In a second attempt I set up cntlm as a local proxy to handle the authentication. That didn't help either.

Finally I found out, that we're using Kerberos for authorization. I know there's a patch for cntlm concerning kerberos authentication. But unfortunately this patch is not available for windows. (or I didn't find it)

Another workaround a collegue just informed me about is the Windows 10 linux-subsystem which allows the installation of the unix version of cntlm with the patch. That kinda enables the proxy authorization. But this does not help me, as my machine is running Windows 7.

My question is: Are there any alternatives to cntlm capable of handling Authorization process with Kerberos? (Or did I miss something that could solve my problem with cntlm?)

Huberman answered 6/12, 2017 at 12:51 Comment(1)
did you finally find a solution ?Steading
S
3

I found https://github.com/genotrance/px

Easy to install:

px --proxy=proxy.server.com --save
px --install

It doesn't need any credentials. It uses the credential of user logged in through windows apis.

Sunglass answered 18/10, 2018 at 10:16 Comment(2)
Hi, I'm trying to use Px but when I use command: px --install An error windows pops-up with following error: The program or feature C:\Program Files\Px\px.exe cannot start or run due to incompatibility with 64-bit versions of Windows. Please contact the software vendor. I'm not sure where to get the 64-bit version or resolve this problem. Thanks in advance!Rubadub
since px is just a Python program, this problem seems to be related with your Python installation - do you use the current 64bit version of python? you can also install px through Python as documentation suggests.Sunglass
P
1

You can use Winfoom. It's working for NTLM, Kerberos and PAC file proxies, but only on Windows.

Pled answered 28/11, 2019 at 10:8 Comment(2)
@Kimi Please register an issue. You need to start the application in debug mode then attach the log file to the issue.Pled
Note that it needs a java runtime.Cauline
F
0

I've been using CNTLM for several years and had a long track record of success keeping with it. This version has not been updated in quite a long time, but I've not had any issues with it yet that I can attribute to the lack of updates other than it doesn't appear to work running as a service on Windows 10. However it works just fine when using it from command line or as a scheduled task that launches on login.

I believe the problem you are experiencing is not faulted by CNTLM, but actually a problem with Python's PIP package manager. I don't know exactly what is wrong there, just that it broke around the timeline of the release of Python 3.9.1. The problem may have been resolved, but I haven't given it another chance yet and tested it.

Your mileage may vary, but I've had the best success approaching it this way. The main goal is to downgrade the version of PIP that doesn't appear to enjoy working behind a proxy. To do this you need to sneak around https temporarily by running this in the cmd prompt your doing pip install from:

Notice the lack of s in what should be https

set http_proxy=http://username:password@proxyUrl:proxyPort
set https_proxy=http://username:password@proxyUrl:proxyPort

or use this if CNTLM is setup

set http_proxy=http://localhost:proxyPort
set https_proxy=http://localhost:proxyPort

Then downgrade pip and keep it there as long as desired. If you upgrade pip you'll need to revisit this all over again should you need to install packages:

python -m pip install pip==20.2.4

once that is done revert back to this

set http_proxy=http://localhost:proxyPort
set https_proxy=https://localhost:proxyPort

and from here you should be trouble free installing packages.

Flamenco answered 29/9, 2021 at 4:56 Comment(1)
In the current version of pip I'm able to communicate through the proxy when setting the HTTP_PROXY and HTTPS_PROXY environment variables on a system scope. However this solution is no permanent fix as other applications stop working when the environment variables are set. So I enable them temporarily when needed, download pip packages, then remove proxy variables...Huberman
H
0

I found another working solution for python pip in my case. We've got an on premise Azure DevOps server running. I set up a python package feed in Azure DevOps server to host our internal packages and also cache packages from pypi. Somehow the server has no problems communicating through our proxy. The solution to this part problem is to download packages from this internal feed instead of pypi.

Huberman answered 29/3, 2022 at 10:53 Comment(0)
C
0

Alternatives:

  • PX looks nice. Automatic configuration in windows and uses an embedded Python
  • WinFoom trying now. Needs a java runtime installed in the machine. Slow to start. Automatic proxy configuration, but weird command line configuration.
  • Fiddler classic classic tool to debug HTTP requests also understand NTLM.
Cauline answered 25/7 at 18:59 Comment(0)
R
-2

Usually you would configure your proxy to disable authentication for these services (white list for clients IPs requesting a known domain). Or you would set a local replica in your own network, then all clients request your own corporate servers. Then, you update your replica by hand, or you let it go through the proxy without authentication. But in all cases, letting things update themselves automatically is not always a good idea (you could face serious issues if the process goes wrong)

Redouble answered 7/12, 2017 at 9:38 Comment(1)
I don't think whitelisting would be an option here although I'd like it to be one. Having an inhouse repository would be the best solution, but as you said, updating it automatically isn't a good idea whereas manual updates take time i think... But I eventually got it to work partially yesterday somehow. Have to do some further R&D the next days. I'll keep you updated.Huberman

© 2022 - 2024 — McMap. All rights reserved.