THere are lots of moving parts at play during HTTP authentication:
* Handler selection
* Scheme invalidation based on auth response
* Cached credentials invalidation based on auth response
* Cached credential eviction
* Host canonicalization
* SPN generation
* Security policy lookups


None of these things have adequate netlogging leading to misidentification of HTTP auth bugs.