I a new in HAProxy, and that is something that i’m trying to learn . I already setup a load balencer on some web internal websites and everything runs fine. Now we are trying to set a load balancer to a site with NTLM autentication, and we only get 401 error…
log /dev/log local0 debug
log /dev/log local1 debug
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
in this setup there is no HTTPS, only connections on port 80 (frontend/backend). so i think no SSL issue.
401 is indeed a non-authorizied header and part of the NTLM handshakes (server sends 401 with ntlm as offered auth method, client answers ok we can talk ntlm and then the server issues another 401 with ntlm credentials and clients answers with a hashed user/password thing - just in short).
there is a bug report in haproxy with ntlm. not sure if this was fixed and (still) is in the source code.
have you tried to use just TCP mode?
one more thing: what is the url to connect to haproxy and what is the url to directly connect?
i ask, because there is a configuration option in IE how and when NTLM/Challenge Response is used. in short for example when there is a non-fqdn like “http://myserver/path/to/page”. you can configure this per client or per GPO and provide a list of domain-names. i am not sure, if the “host”-name of srv01 is part of the ntlm challenge so that i would or could be a problem, if client don’t talk to “srv01” but to “srv”.