When using IE with IWA authentication, with transparent proxy setup, occasionally, a few users would be prompt for login when using IE6 or IE7. The proxy authentication realm was IWA with Kerberos method enabled. It happens randomly. This is what the request would look like in a packet capture
HTTP/1.1 401 Unauthorized
WWW-Authenticate: NEGOTIATE <<<<----This line caused the problem.
Content-Type: text/html; charset=utf-8
Set-Cookie: BCSI-CS0A010717=2; Path=/
The browser was confused by this authentication method: WWW-Authenticate: NEGOTIATE
Therefore the browser did not response with NTLM credential to proxy, but prompts the user to login instead.
WWW-Authenticate: NEGOTIATE is used for Kerberos authentication
Note : Not every browser was prompting users for authentication