HAProxy + NTLM in HTTP mode

is it possible to do NTLM Authentication in HTTP mode?

I have the following cfg:

log local2 debug
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
stats socket /var/lib/haproxy/stats

mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend http_in
bind *:80
mode http
option http-keep-alive
default_backend launchpad

backend launchpad
mode http
balance roundrobin
acl p_root path -i /
http-request set-path /ords/f?p=164 if p_root
server app1 server01.mydomain.com:9502/ords/ check

option http-keep-alive
option prefer-last-server
timeout server 30s
timeout connect 5s

however, every time I try to access the host server of haproxy port 80, I get prompted to enter my window credentials.

If I go directly to server01.mydomain.com:9502/ords I’m authenticated automatically (no need to enter credentials).

any ideas? I believe NTLM only works in mode tcp but I need to use mode http in order to setup the url path in the header.

NTLM is supposed to work in HTTP mode also, however I’m aware that this is broken due to a bug in current releases:

Which release are you using?

Good afternoon, jvelezmorales!
Yes it is possible. I struggled with this for a long time and I succeeded. It is necessary to merge both keytab files on the application servers: one from the haproxy and the other from the application server.
Described in more detail in Client Negotiate -> haproxy -> kestrel (Debian) ->401
If you have any questions, write, I will try to help. Everything works for me as it should. Two IIS (Windows) and two nginx (Linux) are used as application servers. HTTP mode

hi alex_nur,

thanks for the input.
I reviewed the link provided.
My setup is basically I have Oracle APEX in the same host as weblogic. I have serveral apps all of them developed in APEX (rapid app development). Weblogic has been configured to authenticate users via LDAP domain and also single sign on along kerberos to auto login the end user (no credetials prompted for users). This same configuration works for APEX, meaning that users dont have to enter their credentials as SSO does the login and authenticates the user agains the LDAP configured in weblogic.
Basically, what I’m trying to achieve with HAProxy is having a more friendly url for my apex apps (from host1:9502/ords/f?p=100 to myapp.mydomain.com) but still having SSO workings. So far HAProxy still prompts the user for their credentials when navigating to the myapp.mydomain.com site (authentication works with no problem after user enters the credentials).

I will like to keep it simple and not use NGINX here, as I believe HAProxy is more capable to do this reverse proxying and NTML authentication.
do you have any suggestions?


No offers. I also think I needed to install the gssapi-ntlm package. But it was required for asp.net core applications to negotiate.