How to get your iPhone on WiFi when your proxy uses NTLM (thanks to NTLMAPS)


I have been struggling to get my iPhone working against my corporate ISA proxy server. Once I had connected to WiFi, Safari would continually prompt me for my domain user name and password, and none of the apps would work (maybe because they didn't know how to prompt me for credentials).

After a bit of poking around with fiddler, telnet, and all sorts of settings, I was certain that the problem was our ISA Proxy server's NTLM authentication.

NTLM is an authentication mechanism from Microsoft. Microsoft's ISA Proxy Server uses NTLM to be able to tell which active directory user is attempting to access the internet.

If you're surfing with Internet Explorer, it picks up your username directly from your login, and you might not even realise that IE is authenticating you. If you're using firefox, you might get prompted the first time you go on the internet. As far as I can tell, Google Chrome prompts you each time you launch it.

If you're trying to get online with an iPhone, you're not so lucky. Safari will prompt you for credentials every time you change domains (actually, I'm pretty impressed that it can authenticate at all – nice work Apple, don't give up!). This gets tiresome. Whats more, anything else that wants to use the internet from your iPhone has no chance.


iPhone and ISA don't play nicely

So how do we get around this? It's not easy. It has the potential to let other people leech your personal bandwidth and get you into trouble, if you don't do it right. But I HAD to get online, so i started writing my own proxy server that would "chain" to ISA. It would be capable of hiding the NTLM authentication from whatever system was using it as a proxy, and then providing a preconfigured username and password to ISA "up" the chain. In order to keep my login safe from other people who could just use my proxy server, I would have locked down which IP addresses could use my proxy server.

As it turns out, someone's already built an "NTLM Authorization Proxy Server", and thoughtfully called it "NTLMAPS". It's written in python, and it works perfectly. It even has a feature to lock down IP addresses, which I strongly recommend you use.


NTLMAPS hides ISA's nastiness from the iPhone

So how to get started? I installed NTLMAPS on my workstation – you'll need administrative rights.

  • Install Python from http://www.python.org/download/
  • Unzip the NTLMAPS release from https://sourceforge.net/project/showfiles.php?group_id=69259&package_id=68110&release_id=388621
  • Edit the server.cfg file. You will need to change the following keys
    • PARENT_PROXY – your ISA proxy server
    • PARENT_PROXY_PORT – your ISA proxy port
    • ALLOW_EXTERNAL_CLIENTS – set this to 1 to allow yourr iphone to connect
    • FRIENDLY_IPS – put your iPhone's current wifi IP here unless you want to let everyone on your account! You'll have to change this a lot.
    • NT_DOMAIN
    • USER
    • PASSWORD – you can leave this blank if you want – every time you start the server it will prompt you.
  1. Edit the batch file so that it points to the correct python.exe
  2. Launch the batch file. You'll now have the NTLMAPS proxy server up & running. It will tell you the hostname and the port. If you've got a firewall going, and you're lucky, the firewall will ask if you want to unblock that port.
  3. Make sure that whatever firewall you've got installed allows incoming connections to NTLMAPS
  4. Setup your iPhone to use your own computer as a proxy. You can do this in settings>general>network>wifi>your current wifi network. You can turn authentication off, but the server and the port (under manual proxy) should be what ntlmaps have told you to use.

There! you should be good to go. You can make sure your iPhone is getting its internet through wifi by temporarily changing your cellular data gateway to something incorrect. Google maps, the app store, weather, they should all start working once you've done this, as long as NTLMAPS is running.

Let me know how it goes!


Pasted from <http://www.robfe.com/2008/09/how-to-get-your-iphone-on-wifi-when-your-proxy-uses-ntlm/>

Comments

Post a Comment

Popular posts from this blog

How to setup your Cisco Access Point to use WPA with Microsoft SBS 2003

802.11b (and 802.11a and 802.11g) are great. You loose the tether to your desktop. The problem is, how do you secure your network so that your users can still use your network without having to jump through hoops. WEP used to be the answer. WEP is insecure and dead. Cisco have an excellent security suite, but if you're a small company then the cost of investing in the additional components may be prohibitive. If this is your case then WPA (Wi-Fi Protected Access) is the solution for you. It has two modes it can be used in, pre-shared key mode and dynamic key mode.
Read more

Windows7 godmode

To use it: Create a new folder. Rename the folder to GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} (note that you can change the “GodMode” text, but the following period and code number are essential). The folder icon will change — double click it to show the GodMode window:
Read more

View log files in Ubuntu Linux

View log files in Ubuntu Linux Q. Can you explain me log files in Ubuntu Linux and how do I view logs? A. All logs are stored in /var/log directory under Ubuntu (and other Linux distro). Linux Log files and usage => /var/log/messages : General log messages => /var/log/boot : System boot log => /var/log/debug : Debugging log messages => /var/log/auth.log : User login and authentication logs => /var/log/daemon.log : Running services such as squid, ntpd and others log message to this file => /var/log/dmesg : Linux kernel ring buffer log => /var/log/dpkg.log : All binary package log includes package installation and other information => /var/log/faillog : User failed login log file => /var/log/kern.log : Kernel log file => /var/log/lpr.log : Printer log file => /var/log/mail.* : All mail server message log files => /var/log/mysql.* : MySQL server log file => /var/log/user.log : All userlevel logs => /var/log/xorg.0.log : X.org log file => /var/l
Read more