Crypto
14 Apr 2026
Read 15 min
How to fix HTTP 407 proxy authentication error fast *
how to fix HTTP 407 proxy authentication error and restore downloads with stepwise fixes instantly
You can fix a 407 fast by confirming you are behind a proxy, re‑entering your proxy username and password, and matching the proxy’s auth method (Basic, NTLM, or Kerberos). This guide shows how to fix HTTP 407 proxy authentication error on browsers, command‑line tools, and apps, plus quick corporate network checks and safe settings.
A 407 means your request went through a proxy, but the proxy blocked it because you did not authenticate. The proxy expects valid credentials or a single sign‑on token. The block can hit any app: a browser, Git, npm, curl, pip, or a desktop tool. The good news: most fixes take minutes once you match your settings to the proxy’s rules. Below you will find what it is, why it happens, and step‑by‑step actions.
Confirm you are using a proxy. On Windows, open Internet Options > LAN settings. On macOS, open System Settings > Network > Your Network > Details > Proxies. If a script (PAC) or manual proxy is set, note it.
Sign in again. When a prompt appears, enter your domain username and password. Use the right format, like DOMAINuser or user@domain.com, if your company needs it.
Match the auth method. Check the Proxy‑Authenticate header (use curl -v or browser dev tools). If it says NTLM or Negotiate, your tool must support it.
Test with curl. Run curl -v –proxy http://user:pass@host:port https://example.com. If it works, your credentials are right. If not, fix the user, password, host, or port.
Update saved credentials. Clear old proxy passwords in your browser or OS keychain. Enter the new one.
Disable a wrong proxy. If you are on a home network, turn off the corporate proxy or VPN and try again.
Sync your clock. A big time drift can break SSO (Kerberos). Set time to automatic.
Check VPN and captive portals. Connect to the VPN if your proxy needs it, or sign in to hotel/airport Wi‑Fi first.
Basic: sends a base64 user:password. Use only over HTTPS proxies.
NTLM or Negotiate (Kerberos): supports Windows or SSO. Your app must support these.
Digest or Bearer: less common on enterprise forward proxies.
Your goal is to present the right credentials using the method the proxy expects.
Windows proxy settings: Settings > Network & Internet > Proxy. If “Use a proxy server” is on, confirm the address and port. If a script (PAC) is set, ensure the URL is correct.
Re‑enter credentials: Close and reopen the browser. Browse to any HTTPS site. If prompted, enter DOMAINusername and your password.
Clear saved logins: Control Panel > Credential Manager. Remove stale entries for your proxy host.
Reset WinHTTP proxy if it overrides apps: run Command Prompt as admin: netsh winhttp show proxy. If it looks wrong, run netsh winhttp reset proxy.
Settings > General > Network Settings. Try “Use system proxy settings.” If that fails, try “Auto-detect proxy settings” or set the proxy manually.
If your proxy uses NTLM/Negotiate, ensure single sign‑on is allowed: search for “network.automatic-ntlm-auth.trusted-uris” and add your proxy domain (for example, .corp.local).
Clear saved logins for the proxy in Settings > Privacy & Security > Logins and Passwords.
System Settings > Network > Your Network > Details > Proxies. Verify the PAC URL or manual proxy and port.
Disable unexpected proxies when off the corporate network. Uncheck them and try again.
If your account password changed, open Keychain Access and remove old proxy items, then retry to save the new one.
Basic test: curl -v –proxy http://user:pass@host:port https://example.com
If the proxy requires NTLM: curl -v –proxy-ntlm –proxy http://user:pass@host:port https://example.com
If it uses Kerberos/Negotiate: curl -v –proxy-negotiate –proxy anyproxy:port https://example.com (you must have a valid Kerberos ticket)
Set proxy with credentials: git config –global http.proxy http://user:pass@host:port
If your company uses NTLM/Kerberos, prefer a credential helper or a system proxy that handles SSO rather than embedding the password.
Unset if wrong: git config –global –unset http.proxy
npm set proxy http://user:pass@host:port
npm set https-proxy http://user:pass@host:port
For strict SSL proxies, ensure npm config set strict-ssl true. If your proxy re‑signs TLS, import the company CA certificate instead of disabling SSL.
Use environment variables: set HTTP_PROXY=http://user:pass@host:port and HTTPS_PROXY=http://user:pass@host:port
On Windows PowerShell: setx HTTP_PROXY “http://user:pass@host:port”
If 407 persists, test with pip –proxy http://user:pass@host:port install package
For Docker daemon on Linux: set HTTP_PROXY/HTTPS_PROXY in /etc/systemd/system/docker.service.d/proxy.conf and restart Docker.
For Docker Desktop: Settings > Resources > Proxies. Enter the proxy and credentials.
Use NO_PROXY to skip the proxy for local or trusted hosts. Example: NO_PROXY=localhost,127.0.0.1,.corp.local
If NO_PROXY is missing, some tools will send even internal traffic to the proxy and get a 407 from restricted paths.
Confirm auth_param matches your directory (Basic, NTLM, or Kerberos).
Check access controls. Your acl for allowed networks and http_access rules must permit authenticated users.
Review cache.log and access.log for 407 loops or 5xx from helpers.
Verify auth_request or http_auth_basic is configured for proxy_connect and CONNECT tunneling.
Ensure the proxy returns a proper Proxy‑Authenticate header, not WWW‑Authenticate.
Make sure you send Proxy‑Authenticate, not server auth headers.
If you intercept TLS, deploy the root CA to clients. Without it, clients may refuse the connection and retry poorly, causing 407 loops.
Step 1: Determine if a proxy is set (system proxy, VPN, or PAC).
Step 2: Try a site in a browser. If prompted, log in with the correct domain format.
Step 3: If it still fails, test with curl -v through the proxy and read Proxy‑Authenticate.
Step 4: Match the app to the method: add –proxy-ntlm or –proxy-negotiate if needed, or set credentials in the app’s config.
Step 5: Clear old saved credentials and re‑enter new ones.
Step 6: Sync system time and reconnect VPN if required.
Step 7: Use NO_PROXY for internal hosts to reduce load and avoid auth on local traffic.
Step 8: If you are an admin, review proxy logs to confirm authentication success.
Do not store proxy passwords in plain text configs. Use OS credential stores or encrypted helpers.
Prefer SSO (Kerberos/NTLM) where possible. It is safer and easier for users.
Use HTTPS to the proxy if you must send Basic auth.
Distribute company root CAs to clients if the proxy decrypts TLS.
Document the proxy host, port, auth method, and the PAC URL. Keep a short runbook for new devices.
Chrome shows 407 on office Wi‑Fi but not at home: your laptop kept a corporate proxy. Turn off the proxy when off the network or keep VPN on.
npm fails with 407 while browser works: npm did not inherit your proxy. Run npm set proxy and npm set https-proxy with the right credentials.
curl works with –proxy-ntlm but Git fails: Git uses Basic only in your setup. Point Git to the system proxy that handles NTLM, or use a credential helper that supports it.
When you need a fast, repeatable fix, focus on three things: is a proxy set, what auth method it wants, and where to put the right credentials. If you follow this guide on how to fix HTTP 407 proxy authentication error, you should get back online in minutes.
How to fix HTTP 407 proxy authentication error: quick checklist
Understand what the 407 means
A 407 is “Proxy Authentication Required.” Your request reached the proxy, not the site. The proxy replied with a 407 and the Proxy‑Authenticate header. That header tells you which login scheme the proxy accepts. Common ones are:Browser fixes that work fast
Google Chrome and Microsoft Edge (Windows)
Firefox
Safari and other macOS browsers
Fixing 407 in apps and command‑line tools
Many apps read proxy settings from environment variables or their own configs. A mismatch causes 407. Here is how to fix common tools.curl
Git
npm and yarn
pip (Python)
Docker
NO_PROXY bypass
Company network tips that solve stubborn 407s
Update your password and unlock your account
If your password expired, the proxy will reject you. Change it on your domain. Lockouts also cause 407. Wait for unlock or contact IT.Check time and SSO
Kerberos needs clocks that are in sync. Turn on automatic time. Join the right domain. Use your full UPN (user@domain.com) if DOMAINuser fails.PAC and WPAD issues
A broken PAC file can route traffic to the wrong proxy or port. Ask IT for the PAC URL and test it in a browser to ensure it loads. If auto‑detect (WPAD) is flaky on Wi‑Fi, set the PAC URL manually.VPN requirements
Some proxies only accept traffic from the VPN range. If you are off VPN, you get 407 or no route. Connect to VPN and try again.Captive portals
Hotel or airport Wi‑Fi can inject a captive portal. Open http://neverssl.com in your browser to trigger the sign‑in page, complete it, then retry your app.If you run the proxy: server‑side checks
Squid
Nginx as forward proxy
Headers and TLS interception
A step‑by‑step path you can follow in 10 minutes
Security and reliability best practices
Troubleshooting examples
For more news: Click Here
FAQ
Q: What does an HTTP 407 proxy authentication error mean?
A: HTTP 407 means your request reached a proxy that blocked it because you did not authenticate. The proxy expects valid credentials or a single sign‑on token and replies with a Proxy‑Authenticate header indicating the accepted auth scheme.
Q: How can I quickly fix HTTP 407 proxy authentication error?
A: A quick way to follow this guide on how to fix HTTP 407 proxy authentication error is to confirm you are behind a proxy, re‑enter your proxy username and password, and match the proxy’s auth method (Basic, NTLM, or Kerberos). Then test with curl or your app, clear saved credentials, disable a wrong proxy off the corporate network, and sync your clock or connect VPN if SSO is required.
Q: How do I check which authentication method my proxy requires?
A: Inspect the Proxy‑Authenticate header using curl -v or your browser developer tools to see if the proxy advertises Basic, NTLM, Negotiate (Kerberos), or another scheme. If it says NTLM or Negotiate, use a tool or setting that supports those methods rather than Basic auth.
Q: What should I try first in a browser when I see a 407?
A: Confirm the system proxy or PAC settings (Windows: Internet Options > LAN settings; macOS: System Settings > Network > Details > Proxies) and re‑enter credentials when prompted, using DOMAINuser or user@domain.com if required. Also clear saved proxy logins in Credential Manager, Keychain, or browser settings and reset WinHTTP or browser proxy choices if they look wrong.
Q: How do I fix 407 errors in command‑line tools like curl, Git, npm, and pip?
A: Many command‑line tools read environment variables or their own proxy configs, so set credentials there (examples: curl -v –proxy http://user:pass@host:port, git config –global http.proxy http://user:pass@host:port, npm set proxy http://user:pass@host:port, and set HTTP_PROXY/HTTPS_PROXY for pip). If the proxy requires NTLM or Kerberos, add curl flags like –proxy-ntlm or –proxy-negotiate or use a credential helper/system proxy that supports SSO for tools such as Git.
Q: When should I use NO_PROXY to avoid 407 errors?
A: Use NO_PROXY to bypass the proxy for local or trusted hosts (for example NO_PROXY=localhost,127.0.0.1,.corp.local) so internal traffic doesn’t get sent to the proxy and receive a 407. Missing NO_PROXY can force internal requests through the proxy and trigger authentication errors on restricted paths.
Q: What corporate network issues commonly cause persistent 407s and how do I check them?
A: Verify your domain password isn’t expired or locked and update it if needed, ensure system time is synced for Kerberos SSO, and connect to VPN if the proxy only accepts traffic from the VPN range. Also check that the PAC/WPAD URL is correct and that captive portals on public Wi‑Fi are signed into before retrying your apps.
Q: If I run the proxy, what server‑side checks should I perform to resolve repeated 407s?
A: For Squid, confirm auth_param matches the directory type, check ACLs and inspect cache.log and access.log for 407 loops or helper errors; for Nginx verify auth_request or http_auth_basic is configured correctly and that the proxy returns a proper Proxy‑Authenticate header. If you intercept TLS, ensure the company root CA is deployed to clients so they accept the proxy’s re‑signed certificates.
* The information provided on this website is based solely on my personal experience, research and technical knowledge. This content should not be construed as investment advice or a recommendation. Any investment decision must be made on the basis of your own independent judgement.
Contents
