• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Haproxy Package + Sharepoint Auth (NTMLv2)

Scheduled Pinned Locked Moved Cache/Proxy
4 Posts 2 Posters 4.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    JeGr LAYER 8 Moderator
    last edited by Feb 12, 2016, 4:39 PM

    Hi all,

    is it possible to configure a service in haproxy to utilize the sharepoint authentication via NTMLv2? Or are the changes/necessary configuration options not possible with the package?

    Greets

    Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

    1 Reply Last reply Reply Quote 0
    • P
      PiBa
      last edited by Feb 12, 2016, 10:42 PM

      Hi JeGr,

      Im not exactly sure of the goal here, but using ntlm to connect to a backend is possible without special configuration. If you want haproxy itself to handle the ntlm authentication to a backend that does not require authentication itself, then i dont know how that should work.. Haproxy itself will not check ntlm credentials, unless perhaps if you write some lua script as a plugin for it..

      Does that answer your question?

      Regards
      PiBa-NL

      1 Reply Last reply Reply Quote 0
      • J
        JeGr LAYER 8 Moderator
        last edited by Feb 15, 2016, 11:40 AM

        we have configured haproxy on a border gateway/proxy server for a customer, running windows infrastructure inside a dmz. HAproxy takes HTTPS and hands it to the Sharepoint servers. So far, that is working quite nice and isolating the windows servers from the outside, but one "achievement" remains unsolved. If they access sharepoint from the inside, they don't want to have to enter their credentials again (pops up as sharepoint login dialog). That can/will be achieved by those PCs on the LAN sending a NTLMv2 header with their request. I can see that happening correctly but somehow it seems HAproxy strips that header away so the user has to enter his credentials again/manually if he opens the URL sharepoint.company.url instead of being logged in via token/NTLM.

        We read about that being possible in several threads, but don't find the config option(s) mentioned in the pfsense frontend:
        https://serverfault.com/questions/559406/ntlm-through-proxy-server

        Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 0
        • P
          PiBa
          last edited by Feb 15, 2016, 6:21 PM

          Those config options you mention are for squid..
          Maybe however you could try adding 'option prefer-last-server' in the the advanced section of the backend.
          http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#4.2-option%20prefer-last-server

          Haproxy does not strip headers away unless it is configured to do so.. Could you perhaps post the haproxy.cfg to see if there are any options mentioned that might interfere? And give a little more understanding about your setup.

          p.s.
          The client browsers do have sharepoint.company.url configured in their 'local intranet' settings in IE ? AFAIK for 'internet' and 'trusted websites' the NTLM authentication is never automatically send. But i could be wrong there..

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received