Intermittent NTLM Issues

Hi, I’m brand new to HAProxy. Trying to setup a very simple load balancer to meet a missing AWS need. I’ve got version 1.8 on an Ubuntu Server Instance, pointing at a pool of four Windows IIS servers. They are using NTLM authentication. I’m attaching the config file I’m using below. I’m not seeing any errors in the log file. What’s happening is that I’m getting intermittent NTLM 401 errors. It will run fine for awhile, the persistence works, but then randomly I’m getting the HTTP request is unauthorized with client authentication scheme ‘Ntlm’. Any thoughts? Help would be sincerely appreciated!

#---------------------------------------------------------------------

Global settings

#---------------------------------------------------------------------
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

#---------------------------------------------------------------------

Common defaults that all the ‘listen’ and ‘backend’ sections will

use if not designated in their block

#---------------------------------------------------------------------
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 1m
timeout client 2h
timeout server 1h
maxconn 10000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#---------------------------------------------------------------------

main frontend which proxys to the backends

#---------------------------------------------------------------------
frontend main
bind *:80
capture request header Host len 32
mode http
option http-keep-alive
default_backend webserver

#---------------------------------------------------------------------

round robin balancing between the various backends

#---------------------------------------------------------------------
backend webserver
balance roundrobin
option http-keep-alive
cookie SERVERID insert indirect nocache
server s1 10.16.18.61:80 check cookie s1
server s2 10.16.18.62:80 check cookie s2
server s3 10.16.18.63:80 check cookie s3
server s4 10.16.18.64:80 check cookie s4

Have you tried adding option accept-invalid-http-request to your frontend?

No, we haven’t tried that. It looks like it has something to do with NTLM passing info, not HTTP. We’re trying to force NTLMv2 now, so if that doesn’t work, I’ll check out your suggestion.

Thanks,

It turns out that this actually wasn’t really related to the LB. We had to change the NTLM settings to force NTLMv2 only, and it started working fine. If anyone has this same issue, check the local security policy for the server and have it force NTLMv2.

1 Like