Observing session based authentication such as NTLM only works when the first WWW-Authenticate header in the 401 response is either either NTLM or Negotiate. For example, if I set up my server to send the headers in the following order:
Then the Proxy-Support: Session-Based-Authentication header is added by Fiddler and NTLM authentication succeeds. If I instead reorder them:
In this case the Proxy-Support: Session-Based-Authentication header is not added by Fiddler. If the client only supports NTLM and not bearer authentication, then the connection will fail unexpectedly.
In conclusion: It looks like fiddler is checking only the first WWW-Authenticate header when deciding whether or not to send Proxy-Support: Session-Based-Authentication. It should be checking all of the WWW-Authenticate headers.
Yup, that's probably the case.
Attachments Open full size