how to debug ntml authentication with titanium web proxy

I am setting up a c# proxy, which authenticates all http negotiate requests with the usercredentials running the proxy. Sadly, using the titanium web proxy i am not able to authenticate via NTML / NTMLV2.

Regarding to the github repository, this feature should work out of the box (when setting EnableWinAuth = true).

After debugging the code and inspecting the communication via wireshark, i think the traffic looks alright. The proxy is using secur32.dll to obtain the type1 and type2 message tokens. Since i am able to authenticate against the website without a proxy (the browsers are using the secur32.dll aswell), i am sure that the specified ntml protocol is valid.

1. proxy sends a type1 message to the web server hosting the protected site. (when inspecting the type1 message, the domain / workstation name is correct)
2. web server sends the type2 message to the proxy
3. proxy is able to generate a type3 message from the type2 message and sends it to the server (type3 message includes the correct username)
4. web server returns 401 unauthorized

After enabling the iis feature to trace failed requests, i was able to find out, that the web server refuses the token with the ErrorCode="The token supplied to the function is invalid (0x80090308)"

I also tried to authenticate against a website on a local iis, on a remote iis and running the proxy on a different workstation.

Changing the local network security policies to different ntml protocls did not work either.

Do you have any idea how to investigate this case any further?