Basically, the problem here is that if we're AutoAuthenticating when reissuing a request, we try to strip any default Auth header.
There's code that looks like
if (theFlags.ContainsKey("x-AutoAuth") && newSession.requestHeaders["Authorization"].OICContains("NTLM")
//... strip the header
The problem is that we should only be looking at the very first token of the Authorization header (e.g. before the first space). We should not search the whole header, because if the header is
Authorization: Bearer BlahblahblahNtLMblahblah
we think it's an NTLM header and strip it.