HAProxy 2.2 with Exchange 2019 - Continious password prompt

tmaniac · August 19, 2020, 9:50am

Hello,

i’m a bit stuck setting up my HAProxy reverse proxe in combination with Exchange.

I have several webservers but only 1 public IP so i opted for HAProxy as reverse Proxy.

All my websites work except for the Exchange 2019 - Outlook connection.

When i fire up outlook from an external connection i continuously get prompted for a password.
Internally (or when i configure my hosts file to point to the reverse-proxy) everything works great.

I’m a bit at a loss what the problem could be.
I’ve stripped my config file to remove my public address etc. and i removed the other sites/acl’s.
Can you please take a look at my config and tell me how i f-ed up?

Here is my cfg file: https://pastebin.com/Gk56CmCn

Thanks in advance for any advise

Speedy · August 24, 2020, 10:08pm

What do you have for the following on your CAS?

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
KeepAliveTime

tmaniac · August 25, 2020, 2:18pm

The KeepAliveTime key is not present.

Speedy · August 25, 2020, 2:33pm

add the key, and set it for a value that is equal or less than your HA backend server timeout value.

I personally I have mine set to 30 minutes, and have my HA backend timeouts for client (front end) and server timeout (backend) set to the same
“KeepAliveTime”=dword:001b7740
or 1800000 for decimal. unit is milliseconds

tmaniac · August 25, 2020, 3:18pm

thanks for the advice.
Unfortunately: no dice

i set the reg-key; restarted the CAS server, double checked HAproxy time-out values but still continuous password prompts

Speedy · August 25, 2020, 6:06pm

whats your updated cfg look like?

tmaniac · August 26, 2020, 12:56pm

Hi, this is my current config: https://pastebin.com/KSMaYbhe

Speedy · August 26, 2020, 1:12pm

try comment/remove all of the http-keep-alive

ie
timeout http-keep-alive
option timeout http-keep-alive

tmaniac · August 26, 2020, 2:06pm

i don’t get it…the password pop-ups keep coming back.

ntlm should be proxied correctly…

Speedy · August 26, 2020, 2:10pm

perhaps it an issue with your stickiness. what happens if you only configure a single backend without the cookie/stickiness etc…

bedlam · April 11, 2023, 5:53am

Exchange 2019 CU11 + HAProxy 2.4.18
I have a similar problem with Outlook authorizations. The configuration is standard. The only thing I noticed is that the authorization is transmitted incorrectly (our mail domain differs from the UPN). I enter the correct data when requesting a username and password.

Den.Klim@secdomain.net 172.31.14.91 VM-Exch01.domain.ru TDCF.domain.ru apr 10,2023 03:33:20 PM Failure Bad user name krbtgt/domain.ru 22229 - 0xffffffff A Kerberos authentication ticket (TGT) was requested for secdomain.net from VM-Exch01.domain.ru. Status : Failure. . Error : Bad user name

Topic		Replies	Views
Outlook clients constantly prompted for password [Exchange Help!	2	640	February 4, 2023
Exchange 2016 + HAproxy + MacOS Outlook issues Help!	7	6732	August 9, 2019
Exchange 2013, random disconnects in Outlook 2016 for Mac Help!	14	7160	August 23, 2019
HAProxy 2.07 problems with Exchange Server 2016 and Outlook Help!	11	6489	September 24, 2020
Config Critique for Exchange 2010 Help!	0	2725	August 24, 2016

HAProxy 2.2 with Exchange 2019 - Continious password prompt

Related Topics