HAProxy community

Client Negotiate -> haproxy -> kestrel (Debian) ->401

Good afternoon. Haproxy 2.0.5.

When trying to authenticate using negotiate (kerberos / ntlm) in a web application (ASP.Net Core, kestrel), a 401 error occurs.
Client - Windows, domain authentication. haproxy and application server - Linux Debian 9.
Client -> Application Server = 200 (ok).
Client -> haproxy -> Application Server -> 401. If you don’t use authentication, then no problem, balancing works.
There is also IIS. For him, it was required to specify first NTLM, then Kerberos in authentication in applications. When kerberos was the first, there was also a 401 error.
What about kestrel? The asp.net core app uses transparent Windows authentication, the nuget package Microsoft.AspNetCore.Authentication.Negotiate is installed.
The authentication scheme is configured to use Negitiate. Through haproxy - 401. A browser window appears with a proposal to enter a login, password, domain. None of the right combinations work. Different browsers - Firefox, Chrome, IE11.
Keeping in mind the problems with IIS (401), I understand that it is necessary to switch to NTLM on the Linux application server. But I don’t know how to do it. What needs to be done with haproxy for Negotiate to work?
I tried to access kestrel directly through haproxy, and through the nginx open proxy server. There is no difference - 401.

You must use ktutil to merge the keytab files from the haproxy balancer and from the application servers.
net ads add is not suitable for this (although it is enough for Negotiate to work on the application server itself).

Should be added to /etc/samba/smb.conf in the global section:
kerberos method = secrets and keytab

First you need to prepare the keytab files:
To do this, on each machine, enter:
on srvuastrat3 (balancer):
net ads keytab add host/srvuastrat3.domain.ru@DOMAIN.RU
on srvuapp03 (application server):
net ads keytab add host/srvuapp03.domain.ru@DOMAIN.RU

Next, go to each application server, copy the /etc/krb5.keytab file from the balancer server there. Launch

ktutil

While in ktutil we will enter commands.
Enter the command
list
Even though net ads keytab list contains entry (s), they are not visible through ktutil.
you need to read both keytab files and save them:
First, the regular keytab file from the application server:
read_kt /etc/krb5.keytab
Then the keytab file that was copied from the balancer:
read_kt /path_to_saved/srvuastrat3.keytab
And write down
write_kt /etc/krb5.keytab
Now you can enter
list
and we will see the KVNO slots for both the load balancer and the application server.
Then we exit:
quit
All. Authentication through the balancer should work.