The WWW-Authenticate header is being dropped from responses sent by mod_proxy in reverse proxy mode, when the original server's response was chunked.
The problem appears to be in ap_http_header_filter() in modules/http/http_protocol.c, where we have: if (r->status == HTTP_NOT_MODIFIED) { apr_table_do((int (*)(void *, const char *, const char *)) form_header_field, (void *) &h, r->headers_out, "Connection", "Keep-Alive", "ETag", "Content-Location", "Expires", "Cache-Control", "Vary", "Warning", "WWW-Authenticate", "Proxy-Authenticate", NULL); } else { apr_table_do((int (*) (void *, const char *, const char *)) form_header_field, (void *) &h, r->headers_out, NULL); } I would think that in the else case at least the WWW-Authenticate header should be handled. Are there other headers that should also be handled here?