Hey everyone, I’m working on configuring a reverse proxy for my mail server setup and I’m stuck with Exchange 2019 autodiscover problems. The main issue seems to be that authentication credentials aren’t getting passed through properly to the backend server.
I’ve tested the username and password directly and they work fine. The autodiscover service was working perfectly before I put the proxy in front of it.
When I run connectivity tests, I get HTTP 401 errors saying unauthorized access. The response shows it’s expecting Negotiate, NTLM, or Basic authentication but something is blocking the auth flow.
My proxy config points to the Exchange server on port 443 with SSL enabled. I’ve tried adding custom headers to forward the authorization but it’s still not working.
Has anyone dealt with similar authentication passthrough issues with Exchange autodiscover? What’s the proper way to configure the proxy to handle Windows authentication?
Your auth issue is probably how the reverse proxy handles Exchange’s challenge-response mechanism. I’ve seen this before - the proxy isn’t keeping session state during the auth handshake. NTLM needs multiple round trips between client and server, so if your proxy creates new backend connections for each request, it breaks everything. Enable session persistence so the same backend connection stays active through the whole auth sequence. Also check if your proxy is buffering requests during auth - some buffer the entire request body before forwarding, which can timeout. Try turning on connection pooling and sticky sessions to your Exchange server.
your proxy isn’t handling the authentication realm right. exchange autodiscover needs exact realm settings or auth breaks. check if your proxy config forwards the original realm from exchange to the client without changing it. also make sure the proxy isn’t rewriting urls and breaking the autodiscover endpoint paths during auth.
I hit this exact problem six months ago with our Exchange reverse proxy setup. The fix was making sure the proxy doesn’t mess with the original authentication headers. Most proxies strip or change auth headers by default, which breaks NTLM handshake. I had to configure mine to keep the Authorization header untouched and set X-Forwarded-Proto to https. Exchange needs to see the original auth context to validate credentials properly. Also check that your proxy isn’t terminating SSL too early - Exchange autodiscover is really picky about SSL handling during auth. One more thing: see if your proxy has authentication timeouts that might cut off the multi-step NTLM process. Extending those timeouts fixed my intermittent auth failures that looked just like your 401 errors.