Re: Exchange 2013 / NTLM Connections

[Willy Tarreau]

On Thu, Mar 24, 2016 at 01:27:59PM +0100, Baptiste wrote:
> Hi Graham,
> 
> The http-keep-alive mode is recommended, with the "option
> prefer-last-server" (which should be implicitly set by HAProxy in your
> case).
> Hopefully you're not using the http-reuse option.

FWIW, http-reuse correctly deals with 401/407, the connections are
marked private and are never shared.

Willy

Re: Exchange 2013 / NTLM Connections

[Baptiste]

Hi Graham,

The http-keep-alive mode is recommended, with the "option
prefer-last-server" (which should be implicitly set by HAProxy in your
case).
Hopefully you're not using the http-reuse option.

401 are normal and are part of the NTLM negociation. You should see a
few of them at the beginning of the connection, then regular traffic
passing through.

Baptiste

Exchange 2013 / NTLM Connections

[Graham Morley]

Hi,

I'm hoping someone can help with an Exchange 2013 / NTLM Authentication 
question.

(My background is more on the networking side, so I'm finding my way a bit with 
HTTP related challenges...)

We're currently running HA Proxy v1.6.4 and trying to use it in-front of an 
Exchange 2013 CAS set-up.

The challenge that we're having is whilst everything appears to be working, 
we're having connectivity 'issues' when trying to migrate users to Office 365.

I've been trying to read-up on this and understand what might be happening.

- Our Frontend is running in HTTP mode, terminating the HTTPS connections to 
the outside world.
- Our Backend is also running in HTTP mode, connecting back to the CAS Servers 
over HTTPS.

The migration to Office 365 process connects to:

https://mail.ourcompany.com/EWS/mrsproxy.svc

>From the HA Proxy Logs, we can see that this works successfully for a number 
>of requests like this:

Mar 23 09:12:19 ae-lb01.ourcompany.org haproxy[18151]: 132.245.40.245:56136 
[23/Mar/2016:09:12:19.478] ft_exchange~ bk_exch_2013/ae-exch02 353/0/0/42/+395 
200 +721 - -  289/289/1/1/0 0/0 {mail.ourcompany.com||1504} {715506} "POST 
/EWS/mrsproxy.svc HTTP/1.1"

Mar 23 09:12:19 ae-lb01. ourcompany.org haproxy[18151]: 132.245.40.245:56136 
[23/Mar/2016:09:12:18.726] ft_exchange~ bk_exch_2013/ae-exch02 15/0/0/401/+416 
200 +722 - -  286/286/1/1/0 0/0 {mail.ourcompany.com||2435} {5620718} "POST 
/EWS/mrsproxy.svc HTTP/1.1"

This works fine for about 500 log entries (in this instance; it appears to be 
random). Then we get a few 401 errors:

Mar 23 09:12:19 ae-lb01.ourcompany.org haproxy[18151]: 132.245.40.245:61593 
[23/Mar/2016:09:12:19.179] ft_exchange~ bk_exch_2013/ae-exch02 12/0/2/2/+16 401 
+477 - -  288/288/2/2/0 0/0 {mail.ourcompany.com||2435} {0} "POST 
/EWS/mrsproxy.svc HTTP/1.1"

Mar 23 09:12:19 ae-lb01.ourcompany.org haproxy[18151]: 132.245.40.245:61593 
[23/Mar/2016:09:12:19.207] ft_exchange~ bk_exch_2013/ae-exch02 6/0/0/1/+7 401 
+693 - -  288/288/2/2/0 0/0 {mail.ourcompany.com||0} {0} "POST 
/EWS/mrsproxy.svc HTTP/1.1"

Interestingly, although the source IP is the same, the source tcp port changes. 
This is not unexpected; tcp connections will come to an end and new ones will 
start.

The problem that we're having is that as soon as this new connection starts, we 
just then see a series of 401 errors from the same source IP, but different 
source tcp port.

After doing some reading, as best as I can tell, this may be down to the NTLM / 
Windows Authentication that is used in the process.

To understand this more, I've added some capture lines to my Frontend 
configuration:

  capture request header Host len 50
  capture request header User-Agent len 500
  capture request header Content-Length len 50
  capture request header Authorization len 500

  capture response header Content-Length len 50
  capture response header WWW-Authenticate len 500
  capture response header Authentication-Info len 500

After doing this and re-starting some bits, I can now see some more of the 
Authentication information is the logs:

Mar 23 18:13:05 ae-lb01.ourcompany.org haproxy[3443]: 132.245.47.13:20099 
[23/Mar/2016:18:13:05.660] ft_exchange~ bk_exch_2013/ae-exch02 8/0/1/2/+11 401 
+693 - -  192/192/1/1/0 0/0 {mail.ourcompany.com||0|Negotiate 
TlRMTVNTUAABl4II4gAGAvAjDw==} {0|NTLM|} "POST 
/EWS/mrsproxy.svc HTTP/1.1"

Mar 23 18:13:26 ae-lb01.ourcompany.org haproxy[3443]: 132.245.47.13:20099 
[23/Mar/2016:18:13:05.671] ft_exchange~ bk_exch_2013/ae-exch02 
7/0/0/21029/+21036 503 +482 - -  194/194/1/1/0 0/0 
{mail.ourcompany.com||663|Negotiate 
TlRMTVNTUAADGAAYAJYAAABsAWwBrgAAABIAEgBYEgASAGoaABoAfBAAEAAaAgAAFYKI4gYC8CMPZvo1ootKOIM3n52pgdGLYm8AZgBmAGkAYwBlAG8AcgBnAG0AZgBhAGIAYQBkAG0AaQBuAEEATQAzAFAAUgAwADUATQBCAD}
 {0||} "POST /EWS/mrsproxy.svc HTTP/1.1"

This was a useful insight into how Microsoft's NTLM / Windows Authentication 
uses the HTTP headers and 401 responses:

http://www.innovation.ch/personal/ronald/ntlm.html

As was:

https://www.ietf.org/rfc/rfc4559.txt

My conclusion is that because HA Proxy is re-using the backend to Exchange 
connection, the overall conversation between Office 365 and Exchange is no 
longer authenticated.

My next step was to was to do some more reading about HA Proxy's HTTP 
'connection modes'. This section in the documentation was great:

http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#4

As was this reference from ALOHA:

https://www.haproxy.com/static/media/uploads/eng/resources/aloha_load_balancer_http_connection_mode_memo2.pdf

So (finally), I'm down to my real question:

- What HA Proxy HTTP 'connection' mode should I be using with a Backend that is 
providing an NTLM Authenticated Service?
  - My understand is that it should be 'tunnel mode'.
  - This can be configured on the backend with, 'option tunnel-mode'.
  - This is needed, because in v1.6 and above, the default connection