'NTLM Authorization Proxy Server'.
Last updated on 13 December 2002.
2001-02 (C) Dmitry Rozmanov
[Home]
[NTLM info]
News:
13 December 2002.
Main APS mirrow
moved to
sourceforge.net.
18 May 2002. New version 0.9.8.
WHAT IS 'NTLM Authorization Proxy Server'?
'NTLM Authorization Proxy Server' (APS) is a proxy software that allows you
to authenticate via an MS Proxy Server using the proprietary NTLM protocol. Since
version 0.9.5 APS has an ability to behave as a standalone proxy server and
authenticate http clients at web servers using NTLM method.
It can change arbitrary values in your client's request header so that those
requests will look like they were created by MS IE.
It is written in Python v1.5.2 language.
Main features:
- supports NTLM authentication via parent proxy server (Error 407 Proxy Authentication Required);
- supports NTLM authentication at web servers (Error 401 Access Denied/Unauthorized);
- supports translation of NTLM scheme to standard "Basic" authentication scheme;
- supports the HTTPS 'CONNECT' method for transparent tunnelling through parent proxy server;
- has ability to change arbitrary values in client's request headers;
- supports unlimited number of client connections;
- supports connections from external hosts;
- supports HTTP 1.1 persistent connections;
- stores user's credentials in config file or requests password from a console during the start time;
View ReadMe here.
View CHANGELOG here.
The server had been written for wget
that could not pass through MS Proxy set up in our LAN.
But then it turned out that even browsers can use it, so I spend some time to get it
more RFC friendly
and now it looks like it works with most software that can use http/https proxies.
Even distributed
Intel-United Devices Cancer Research Project
can be used with APS. Just use HTTPS proxy in "proxy settings" of the United Devices' software and
point to your local NTLMAPS, like server - "localhost" and port - "8080"
or something that you set in server.cfg.
Licensing and Pricing:
'NTLM Authorization Proxy Server' is distributed under the
GNU
General Public License
which is included in this archive (see file COPYING).
The above mean that 'NTLM Authorization Proxy Server' is pretty much free.
You have to pay nothing for it.
System requirements:
Python language interpreter version 1.5.2 or higher. See www.python.org.
Old stable version: 0.9.7
Current experimental version: 0.9.8
There is no binary files in the distribution. Thus you can use the software on any system that
has Python, with minimal modifications.
NTLMAPS uses only statndard modules from Python distribution.
Download:
NOTE:
Geocities
has introduced an annoying rule
that files of some types that hosted on thier servers
must be downloaded only from the pages belonged to
Geocities.
Thus direct links to the archives won't work.
And it looks like that they determine "the right" to get the file from referer value,
so if you have been redirected to this page, say from
freshmeat, the referer value may not be "right" and
you won't be able to download file.
In such a case simply reload the page using refresh command/button and try again.
It should work then.
I recommend you to take experimental version. It should be stable enough.
Current experimental v.0.9.8
windows zip here
and tar.gz here.
Old stable v.0.9.7
windows zip here
and tar.gz here.
What's new in 0.9.8:
- internal redesign
- config file redesign
- fixed bug during HTTPS CONNECT authentication.
- fixed bug with UNICODE string conversion in NTLM msg3 creation code.
- no need in proxy port when proxy is not used
- fixed minor bug with an exception that was raised if there was no http header
in server's response.
- MSN Messenger and clients alike work again. It had been broken since APS 0.9.5
- minor bug in header remake (Proxy Connection -> Connection)
- fixed bug when client sends its header slowly and clients thread exits before
doing anything useful. This was broken since version 0.9.7
- new optional value in config file NT_HOSTNAME (see comment in server.cfg).
- DOMAIN value in config is now NT_DOMAIN, to make it clear what domain name has
to be used.
- implemented NTLM to BASIC translation.
Known issues:
- With NTLM to Basic translation you have only one try to enter right credentials.
If you fail then restart your browser.
- There is an issue with APS working as a standalone proxy. It serves requests from
an http-client one by one and allows persistent connections, then it may receive several
requests in very short time to one thread, and one of them may be to an almost dead banner
site, then all the requests made after that one will be waiting till that "bad" connection
will be closed due to timeout. So I suggest switching off HTTP/1.1 presistent connections
in your browser when you are using APS for web (not proxy) authentication and surfing
banner rich evironment.
To Do:
- There are several requests to have a list of servers to which APS will connect
directly in proxy mode. This would be useful for LAN behind MS Proxy and number of
intranet web servers with NTLM authorization.
Troubleshooting:
There are two options in server.cfg
DEBUG and BIN_DEBUG,
if you have toubles with the server so set these options to
DEBUG:1 and BIN_DEBUG:1
just before requesting a problem page (or resource).
You have to restart proxy server to reread server.cfg.
This will give you 3 log files per http request (per connection to be exact), like
127.0.0.1-1048,
127.0.0.1-1048.bin.client and
127.0.0.1-1048.bin.rserver.
In the first one there is an info on what APS did, two others contain raw traffic from
client and from proxy.
Pack them with zip or gzip and send them to me if you want me to help you.
Useful Links:
- NTLM Authentication Scheme for HTTP
is the most valuable information source on NTLM that allowed APS to be created. The copy of
this page is included in APS' distribution archive.
- Socks via HTTP
is a program converting SOCKS requests into HTTP requests
and tunnelling them through HTTP proxies if needed. It may be used with APS if you sit
behind HTTP only MS Proxy. It is writen in Java so it works on any system that
have Java.
Dmitry Rozmanov / 13 December 2002 / dima@xenon.spb.ru