Outlook clients constantly prompted for password [Exchange

I have an Exchange 2013 on prem environment with haproxy doing the load balancing.

When connecting via Outlook to Exchange via the LB/Haproxy, I’m constantly prompted for passwords despite entering the correct password and seeing all 401/200 logs and no 403 errors on neither the CAS or the LB logs.

When I force Outlook (via DNS) to connect to the Exchange server directly, the errors go away, so clearly the error is somewhere in the HAPROXY config. Can anyone review and advise?

log local0 notice
stats socket /var/run/haproxy.sock mode 600 expose-fd listeners level user
maxconn 4096
maxcompcpuusage 100
maxcomprate 0
nbproc 1
ssl-server-verify required
tune.ssl.default-dh-param 2048

mode http
log local0 info
option httplog
option dontlognull
option forwardfor except
option redispatch
option http-keep-alive
no option httpclose
no option http-server-close
retries 3
timeout connect 10s
timeout server 15m
timeout client 15m
timeout check 10s
#timeout http-keep-alive 10s
#timeout check 10s
maxconn 4096

frontend fe_e13_o
 bind [internalIP:443] ssl crt /loc/of/cert/cert.pem
 use_backend be_e13_o

backend be_e13_o
 mode http
 balance roundrobin
 source [internalIP]
 server exchangeA [serverIP]:443 check ssl inter 15s verify required ca-file /etc/ssl/certs/ca-bundle.crt

You want the client to stick to a specific server, you can’t do roundrobin between different servers, both for authentication and backend performance reasons (caches would also be cold).

Use balance source as opposed to balance roundrobin.

In your default section:


option prefer-last-server


no option httpclose
no option http-server-close

I’m not sure I understand why you are terminating TLS on the frontend and then reencrypting it all over again on the backend, can you explain?

Problem is solved. Missed a removal of “http-server-close.” Not sure why it had been added years ago, but I’m sure I had a good reason.

I believe it was breaking OWA, so we will see what happens.

TLS is set up the way it is to prevent any unencrypted traffic from transiting the network.