Dear Community,
I run a (Windows IIS) web server in a cluster of 2 servers where authentication via Kerberos is implemented. The login to each of the servers works fine.
If I now switch a HAPROXY in front of it, everything works fine for now, except that you always have to log in twice before you are logged in. The first time the login window appears in the middle of the browser and the second time then in the upper area of the browser. Only after the second login the user is correctly logged in. I once knew what that meant, but I can’t find the explanation anymore. Between the first and second login I find in the cluster node logs the error 401.
I have already tried a lot of configuration suggestions from the internet (e.g. acl, all possible http-request statements etc.), read manual, talked to ChatGPT, but the double login always stayed. Do you have any idea? Here is my current config:
frontend clfront
bind *:80
bind *:443 ssl crt /etc/ssl/certs/cert.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2
redirect scheme https code 301 if !{ ssl_fc }
mode http #tcp
option forwardfor
http-request add-header X-Forwarded-Proto https
default_backend clfront-servers
backend clfront-servers
mode http #tcp
balance leastconn #uri
server serv01 serv01.de:443 check ssl verify none
server serv01 serv01.de:443 check ssl verify none
Thank you so much for your input!