The Negotiate authentication scheme can support multiple different types
of authentication. The two most popular are NTLM and Kerberos. When we
supported NTLM, we'd first try Kerberos, and if it failed, fall back to
NTLM.
However, we no longer support NTLM, but some people still have server
configuration that uses NTLM via Negotiate. For these people,
authentication may be broken. Let's fall back to Basic in such a case
by keeping track of which authentication mechanisms we've tried,
keeping only the supported mechanisms if we got a response, and
stripping out failing mechanisms, falling back to Basic.
To help with servers that support both Negotiate and Basic, we
specifically consider SPNEGO (Negotiate) errors as authentication
errors. This is because if the server supports Kerberos but the client
does not have a ticket, then we'll get an error trying to read the
client's tickets, which will manifest in this way.
124df9f038