Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Haproxy Package + Sharepoint Auth (NTMLv2)

    Cache/Proxy
    2
    4
    4.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JeGrJ
      JeGr LAYER 8 Moderator
      last edited by

      Hi all,

      is it possible to configure a service in haproxy to utilize the sharepoint authentication via NTMLv2? Or are the changes/necessary configuration options not possible with the package?

      Greets

      Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

      1 Reply Last reply Reply Quote 0
      • P
        PiBa
        last edited by

        Hi JeGr,

        Im not exactly sure of the goal here, but using ntlm to connect to a backend is possible without special configuration. If you want haproxy itself to handle the ntlm authentication to a backend that does not require authentication itself, then i dont know how that should work.. Haproxy itself will not check ntlm credentials, unless perhaps if you write some lua script as a plugin for it..

        Does that answer your question?

        Regards
        PiBa-NL

        1 Reply Last reply Reply Quote 0
        • JeGrJ
          JeGr LAYER 8 Moderator
          last edited by

          we have configured haproxy on a border gateway/proxy server for a customer, running windows infrastructure inside a dmz. HAproxy takes HTTPS and hands it to the Sharepoint servers. So far, that is working quite nice and isolating the windows servers from the outside, but one "achievement" remains unsolved. If they access sharepoint from the inside, they don't want to have to enter their credentials again (pops up as sharepoint login dialog). That can/will be achieved by those PCs on the LAN sending a NTLMv2 header with their request. I can see that happening correctly but somehow it seems HAproxy strips that header away so the user has to enter his credentials again/manually if he opens the URL sharepoint.company.url instead of being logged in via token/NTLM.

          We read about that being possible in several threads, but don't find the config option(s) mentioned in the pfsense frontend:
          https://serverfault.com/questions/559406/ntlm-through-proxy-server

          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 0
          • P
            PiBa
            last edited by

            Those config options you mention are for squid..
            Maybe however you could try adding 'option prefer-last-server' in the the advanced section of the backend.
            http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#4.2-option%20prefer-last-server

            Haproxy does not strip headers away unless it is configured to do so.. Could you perhaps post the haproxy.cfg to see if there are any options mentioned that might interfere? And give a little more understanding about your setup.

            p.s.
            The client browsers do have sharepoint.company.url configured in their 'local intranet' settings in IE ? AFAIK for 'internet' and 'trusted websites' the NTLM authentication is never automatically send. But i could be wrong there..

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.