NTLM Authentication to Backend (Windows IIS)

notreallyanengineer · November 3, 2022, 6:50pm

I am trying to determine how to do a health check against backend servers in HAProxy with NTLM authentication (Windows IIS servers). As I understand, it is ‘multistage’ in that it will do a ‘basic’ auth first, return a 401, and then try again with different headers.

This is baked into the http monitor in f5’s BIGIP as I recently learned, it tries basic auth first, and then failing that attempts NTLM. Is there a way to mimick this in HA-Proxy?

AaronWest · November 4, 2022, 9:12pm

The external health check might be one way, obviously in theory it allows you to script whatever check you want!

I can imagine how it might be done for sure.

If HAProxy has a better way I’ll let others weigh in…

Markus · November 8, 2022, 8:24am

on which plattform do you run HAProxy? Linux?

You can use msnt_auth from Samba

https://www.samba.org/samba/docs/current/man-html/ntlm_auth.1.html

add this to you health-check script.

markus

Topic		Replies	Views
NTLM Proxy via HA Proxy Help!	9	5691	May 9, 2018
HAProxy + NTLM in HTTP mode Help!	4	3834	March 3, 2021
Intermittent NTLM Issues Help!	3	1434	April 1, 2020
External health check of backend services Help!	6	7552	May 18, 2016
Report health of TCP mode frontends to external health-checks Help!	1	1657	June 27, 2017

NTLM Authentication to Backend (Windows IIS)

Related topics