TeamCity and Git Behind a Corporate NTLM Proxy Server


Recently I’ve had the pleasure of setting up a new build environment at work to replace our TFS Team Build setup and its build-information-opaqueness. In the process I uncovered a lot of not-so-fun-to-be-a-developer things that our large corporate IT Infrastructure team have in place to keep the masses at bay – one of those things is an NTLM proxy server. And so the head banging began – hopefully I can save you some brain cells and get you home on time.

imageThe two things we’re going to look at today are;

  • Getting TeamCity running on Windows to see the outside world through an NTLM proxy.
  • Getting MSyGit running on Windows to see the outside world through an NTLM proxy.

My situation may be different from yours but it boils down to: my build server is sitting behind an NTLM authenticated proxy server. The proxy isn’t anonymous. In short, it needs a domain username and password or NTLM token to access the internet.

Therefore I need to get TeamCity and Git to use my proxy server.

TeamCity Configuration

While you’d think that TeamCity would be relatively easy to just "point at your proxy server” from a nice page in the Administration section or similar but you’d be living in a land of fairy tales.

Look as I did high and low, there seemed to be next to no working documentation showing how to get this working – you’d think that Jetbrains had you covered with their awesome confluence wiki. You’d be mistaken though.

After much head banging I realised that TeamCity runs on Java, and more specifically the Tomcat web server. Java allows you to pass in configuration options on start up and Tomcat Catalina has a nice configuration panel to enter these into – if you only know where to look. From within this window you can enter Java configuration options.

The one we’re looking for is:


The magical incantation to get to this panel is:

Open an elevated command prompt.

Move to the TeamCity bin folder (usually C:\TeamCity\bin).

cd C:\TeamCity\bin\

Type the command:

tomcat7w //ES//TeamCity

This will open this window:


Move to the Java tab.

Enter the options mentioned above:


Hit Apply and restart TeamCity (the TeamCity Service).

Git Configuration

The next part for our problem was getting Git to talk through the proxy server as well.

Git didn’t support NTLM proxy servers until more recently (version 1.7.10) and since then you’ve been able to tell git to use a proxy server from the command line like so:

git config --global
git config --global

This didn’t appear to work for my installation though.

After a bunch of investigation between my team and our infrastructure guys, it appears that the type of NTLM proxy we use simply didn’t like Git.

To get around this we installed the following man-in-the-middle proxy server CNTLM.

The way CNTLM works is you give it some credentials to use, you point whatever you need to access the internet at it as a proxy server, and it offers an unauthenticated proxy connection that is then authenticates and hands on to your NTLM proxy server.

To configure CNTLM open the file: C:\Program Files (x86\cntlm\cntlm.ini

Username testuser
Domain contorso
Password password

Give the service a restart and then point Git at your new CNTLM proxy server.

git config --global http.proxy=localhost:3128
git config --global