Hi,
I'm hoping someone can help with an Exchange 2013 / NTLM Authentication
question.
(My background is more on the networking side, so I'm finding my way a bit with
HTTP related challenges...)
We're currently running HA Proxy v1.6.4 and trying to use it in-front of an
Exchange 2013 CAS set-up.
The challenge that we're having is whilst everything appears to be working,
we're having connectivity 'issues' when trying to migrate users to Office 365.
I've been trying to read-up on this and understand what might be happening.
- Our Frontend is running in HTTP mode, terminating the HTTPS connections to
the outside world.
- Our Backend is also running in HTTP mode, connecting back to the CAS Servers
over HTTPS.
The migration to Office 365 process connects to:
https://mail.ourcompany.com/EWS/mrsproxy.svc
>From the HA Proxy Logs, we can see that this works successfully for a number
>of requests like this:
Mar 23 09:12:19 ae-lb01.ourcompany.org haproxy[18151]: 132.245.40.245:56136
[23/Mar/2016:09:12:19.478] ft_exchange~ bk_exch_2013/ae-exch02 353/0/0/42/+395
200 +721 - - 289/289/1/1/0 0/0 {mail.ourcompany.com||1504} {715506} "POST
/EWS/mrsproxy.svc HTTP/1.1"
Mar 23 09:12:19 ae-lb01. ourcompany.org haproxy[18151]: 132.245.40.245:56136
[23/Mar/2016:09:12:18.726] ft_exchange~ bk_exch_2013/ae-exch02 15/0/0/401/+416
200 +722 - - 286/286/1/1/0 0/0 {mail.ourcompany.com||2435} {5620718} "POST
/EWS/mrsproxy.svc HTTP/1.1"
This works fine for about 500 log entries (in this instance; it appears to be
random). Then we get a few 401 errors:
Mar 23 09:12:19 ae-lb01.ourcompany.org haproxy[18151]: 132.245.40.245:61593
[23/Mar/2016:09:12:19.179] ft_exchange~ bk_exch_2013/ae-exch02 12/0/2/2/+16 401
+477 - - 288/288/2/2/0 0/0 {mail.ourcompany.com||2435} {0} "POST
/EWS/mrsproxy.svc HTTP/1.1"
Mar 23 09:12:19 ae-lb01.ourcompany.org haproxy[18151]: 132.245.40.245:61593
[23/Mar/2016:09:12:19.207] ft_exchange~ bk_exch_2013/ae-exch02 6/0/0/1/+7 401
+693 - - 288/288/2/2/0 0/0 {mail.ourcompany.com||0} {0} "POST
/EWS/mrsproxy.svc HTTP/1.1"
Interestingly, although the source IP is the same, the source tcp port changes.
This is not unexpected; tcp connections will come to an end and new ones will
start.
The problem that we're having is that as soon as this new connection starts, we
just then see a series of 401 errors from the same source IP, but different
source tcp port.
After doing some reading, as best as I can tell, this may be down to the NTLM /
Windows Authentication that is used in the process.
To understand this more, I've added some capture lines to my Frontend
configuration:
capture request header Host len 50
capture request header User-Agent len 500
capture request header Content-Length len 50
capture request header Authorization len 500
capture response header Content-Length len 50
capture response header WWW-Authenticate len 500
capture response header Authentication-Info len 500
After doing this and re-starting some bits, I can now see some more of the
Authentication information is the logs:
Mar 23 18:13:05 ae-lb01.ourcompany.org haproxy[3443]: 132.245.47.13:20099
[23/Mar/2016:18:13:05.660] ft_exchange~ bk_exch_2013/ae-exch02 8/0/1/2/+11 401
+693 - - 192/192/1/1/0 0/0 {mail.ourcompany.com||0|Negotiate
TlRMTVNTUAABl4II4gAGAvAjDw==} {0|NTLM|} "POST
/EWS/mrsproxy.svc HTTP/1.1"
Mar 23 18:13:26 ae-lb01.ourcompany.org haproxy[3443]: 132.245.47.13:20099
[23/Mar/2016:18:13:05.671] ft_exchange~ bk_exch_2013/ae-exch02
7/0/0/21029/+21036 503 +482 - - 194/194/1/1/0 0/0
{mail.ourcompany.com||663|Negotiate
TlRMTVNTUAADGAAYAJYAAABsAWwBrgAAABIAEgBYEgASAGoaABoAfBAAEAAaAgAAFYKI4gYC8CMPZvo1ootKOIM3n52pgdGLYm8AZgBmAGkAYwBlAG8AcgBnAG0AZgBhAGIAYQBkAG0AaQBuAEEATQAzAFAAUgAwADUATQBCAD}
{0||} "POST /EWS/mrsproxy.svc HTTP/1.1"
This was a useful insight into how Microsoft's NTLM / Windows Authentication
uses the HTTP headers and 401 responses:
http://www.innovation.ch/personal/ronald/ntlm.html
As was:
https://www.ietf.org/rfc/rfc4559.txt
My conclusion is that because HA Proxy is re-using the backend to Exchange
connection, the overall conversation between Office 365 and Exchange is no
longer authenticated.
My next step was to was to do some more reading about HA Proxy's HTTP
'connection modes'. This section in the documentation was great:
http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#4
As was this reference from ALOHA:
https://www.haproxy.com/static/media/uploads/eng/resources/aloha_load_balancer_http_connection_mode_memo2.pdf
So (finally), I'm down to my real question:
- What HA Proxy HTTP 'connection' mode should I be using with a Backend that is
providing an NTLM Authenticated Service?
- My understand is that it should be 'tunnel mode'.
- This can be configured on the backend with, 'option tunnel-mode'.
- This is needed, because in v1.6 and above, the default connection mo