https://twitter.com/ozziepeeps/status/1349126308454830082

Basically, the problem here is that if we're AutoAuthenticating when reissuing a request, we try to strip any default Auth header.

There's code that looks like

   if (theFlags.ContainsKey("x-AutoAuth") && newSession.requestHeaders["Authorization"].OICContains("NTLM") 

//... strip the header

The problem is that we should only be looking at the very first token of the Authorization header (e.g. before the first space). We should not search the whole header, because if the header is

    Authorization: Bearer BlahblahblahNtLMblahblah

we think it's an NTLM header and strip it.