Authentication via Kerberos requires two logins

Dear Community,
I run a (Windows IIS) web server in a cluster of 2 servers where authentication via Kerberos is implemented. The login to each of the servers works fine.
If I now switch a HAPROXY in front of it, everything works fine for now, except that you always have to log in twice before you are logged in. The first time the login window appears in the middle of the browser and the second time then in the upper area of the browser. Only after the second login the user is correctly logged in. I once knew what that meant, but I can’t find the explanation anymore. Between the first and second login I find in the cluster node logs the error 401.
I have already tried a lot of configuration suggestions from the internet (e.g. acl, all possible http-request statements etc.), read manual, talked to ChatGPT, but the double login always stayed. Do you have any idea? Here is my current config:

frontend clfront
        bind    *:80
        bind    *:443 ssl crt /etc/ssl/certs/cert.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2
        redirect scheme https code 301 if !{ ssl_fc }
        mode http #tcp
        option forwardfor
        http-request add-header X-Forwarded-Proto https
        default_backend clfront-servers

backend clfront-servers
        mode http #tcp
        balance leastconn #uri
        server serv01 serv01.de:443 check ssl verify none
        server serv01 serv01.de:443 check ssl verify none

Thank you so much for your input!

I have installed nginx as a proxy and the same problem occurs there. But the problem does not occur when trying to log in directly to the servers. So I suspect an authentication problem in IIS.

It seems that you have to login twice because is the number of IIS server and your sessions are balanced between those two servers with leastconn. No sticky sesions.
So if you hit IIS #1 you have to auth, if you change to IIS #2 - HAProxy will do that - you have to do the auth again as no login info is established on the IIS #2 yet.