in this setup there is no HTTPS, only connections on port 80 (frontend/backend). so i think no SSL issue.
401 is indeed a non-authorizied header and part of the NTLM handshakes (server sends 401 with ntlm as offered auth method, client answers ok we can talk ntlm and then the server issues another 401 with ntlm credentials and clients answers with a hashed user/password thing - just in short).
there is a bug report in haproxy with ntlm. not sure if this was fixed and (still) is in the source code.
have you tried to use just TCP mode?
one more thing: what is the url to connect to haproxy and what is the url to directly connect?
i ask, because there is a configuration option in IE how and when NTLM/Challenge Response is used. in short for example when there is a non-fqdn like “http://myserver/path/to/page”. you can configure this per client or per GPO and provide a list of domain-names. i am not sure, if the “host”-name of srv01 is part of the ntlm challenge so that i would or could be a problem, if client don’t talk to “srv01” but to “srv”.
see
https://knowledge.broadcom.com/external/article/155498/how-to-troubleshoot-the-ntlmhttp-401-aut.html