@Hartmann Jan sadly, but nope. Without negotiate - its worked properly. You check for headers and http version (only 1. http works) and its case intensive checks headers name and values.
Exchange 2019 load balacning with negotate iis
Hello, sir's.
After setting up kerberos acc, changing virtual directories authorization from pure ntlm to negotiate, we got some strange work with haproxy.
Periodically, outlook lost connect thought mapi to server. Outlook restart not help, its just show error, that not possible to open folder list. Whats i see in this moment atn fiddler:
First mapi connect with
X-RequestType Connect Authorization Negotiate got 200, and exchange server response gives cookie: Set-Cookie X-BackEndCookie.
Second request with X-RequestType: Execute and with returned X-BackEndCookie gives 200, but in response this interesting message:
"HTTP/1.1 200 ErrorMsg:Unable to find session context based on cookie. [ResponseCode=ContextNotFound];ErrorCode:;ErrorHints:ContextNotFoundException"
Third request: Same, but
X-RequestType Disconnect
and again this error
HTTP/1.1 200 ErrorMsg:Unable to find session context based on cookie. [ResponseCode=ContextNotFound];ErrorCode:;ErrorHints:ContextNotFoundException
So this is continues like 3-10 times for each mailbox, including mapped mb's, that its start work normally for some time.
After some activity in outlook, like opening folder etc this cycle repeats.
If clients targets directly to exch server - no problem at all. Before we changed iis from ntlm to negotiate - no problem at all.
Can anyone make advice, where should we search?
2 answers
Sort by: Most helpful
-
-
Roman Havryliuk 41 Reputation points
2023-02-26T00:11:11.2033333+00:00 @Hartmann Jan sadly, but nope. Only if i disable negotiate (that not apply in my env) - it works correctly. Several windows services with negotiate auth works perfect, but not outllok through haproxy. Now, its repeats continuously (ask for creds and show that exch online)
And you should check http version on haproxy (https 1 needs) and headers names for case intensive, if haproxy didnt change headers name - maybe on that version haproxy it can start to work..