HTTP loadbalencer + IIS 10 NTLM

pfbjorge1982 · May 26, 2023, 11:45am

I guys,
I a new in HAProxy, and that is something that i’m trying to learn . I already setup a load balencer on some web internal websites and everything runs fine. Now we are trying to set a load balancer to a site with NTLM autentication, and we only get 401 error…

haproxy.cfg

global
log /dev/log local0 debug
log /dev/log local1 debug
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend sctest_LB
mode http
bind *:80
option http-keep-alive
#option prefer-last-server
default_backend sctest_LB_Back

backend sctest_LB_Back
balance source
hash-type consistent
option http-keep-alive
option prefer-last-server
server ha01 srv01:80 check maxconn 3000
server ha02 srv02:80 check maxconn 3000

all the help will be appreciated

PJ

ben.agten · June 1, 2023, 8:59am

From my testing, I have also run into the issue with ntlm. When it comes to the https health checks that’s an issue because HAproxy (to my knowledge) isn’t able to authenticate over NTLM.

But I know that a 401 is indeed unauthorized error. What I suggest is either using balance source or try adding a cookie so that the clients will always connect to the same backend server.

You can find examples online. But if you want I can put a relpy later with my config that I’m using is a similar setting.

Markus · June 2, 2023, 12:20pm

in this setup there is no HTTPS, only connections on port 80 (frontend/backend). so i think no SSL issue.
401 is indeed a non-authorizied header and part of the NTLM handshakes (server sends 401 with ntlm as offered auth method, client answers ok we can talk ntlm and then the server issues another 401 with ntlm credentials and clients answers with a hashed user/password thing - just in short).
there is a bug report in haproxy with ntlm. not sure if this was fixed and (still) is in the source code.
have you tried to use just TCP mode?

one more thing: what is the url to connect to haproxy and what is the url to directly connect?
i ask, because there is a configuration option in IE how and when NTLM/Challenge Response is used. in short for example when there is a non-fqdn like “http://myserver/path/to/page”. you can configure this per client or per GPO and provide a list of domain-names. i am not sure, if the “host”-name of srv01 is part of the ntlm challenge so that i would or could be a problem, if client don’t talk to “srv01” but to “srv”.

see