Tips September 29, 2005 at 10:46 am

Tiger and NTLM Web Proxy Auth

I had a powerbook that was upgraded to tiger. The problem was that after the upgrade it was unable to do proxy authentication with our squid proxy, which is bouncing against Active Directory for access to the web.

I tried a few things to fix this, but ended up with NTLMAPS.
The application works by creating a local web proxy, on port 5865 by default, that you point your local client to. NTLMAPS will then authenticate via NTLM to your real proxy and keep the proxy authentication session open making it unnecessary for Safari or any other web browser to do so.

Since that’s a bit confusing, let me show how this works:

Safari -> via Network Preferences setting of web proxy to 127.0.0.1 port 5865 -> NTLMAPS -> config.py configuration file for NTLMAPS -> your NTLM authenticated “regular” proxy

  1. Download ntlmaps-0.9.9 from Source Forge.

  2. Then put ntlmaps in the /Library folder.

  3. You will need to configure the server.cfg file to match your needs. For example, enter your proxy address at PARENT_PROXY:10.1.1.2 and enter the port you use at PARENT_PROXY_PORT:8080.

Then enter your domain at NT_DOMAIN:afp548 and then I just entered my username at user:sunshine. I left the password blank so when I run the following script that invokes NTLMAPS it will ask me for my NT password when I want access the internet. I’d hard code the password, but since our passwords change every 90 days it’s better to not do that.

<code>
#/bin/sh
/Library/ntlmaps-0.9.9/main.py
</code>

No Comments

  • I think 10.4.2 ‘fixed’ safari and NTLM auth.

    We had the same problem, but once 10.4.2 was installed, safari could authenticate via NTLM.



    bryan

  • I was one of the unlucky ones that the update didn’t fix.

  • 10.4.2 fixed our problem using MS IIS proxy server.
    We do, however, still have problems using Quickime 7 (no movies load) and the
    iTunes Music store ( Clears out the password you previously saved for Safari
    then asks reapeatedly for username and password).
    It is really frustrating that Apple doesn’t test in an Enterprise environment. We
    couldn’t push our Macs to 10.4 until the proxy component worked. I wasn’t
    about to support 130 macs running NTLMaps.

Leave a reply

You must be logged in to post a comment.