So I was testing WWSAPI client to ASMX interop. After getting the basic Hello World scenario working, I decided to require Windows authentication on the web application and impersonate the client identity. Then I reran the client without changing the client code to enable HTTP header authentication. I thought it would fail but it worked. As it turned out, since I was using “localhost” as the host name in WS_ENDPOINT_ADDRESS, the HTTP client would automatically respond to Negotiate/NTLM challenge using the default credential. After I changed the host name to the machine name, my client failed with WS_E_SERVER_REQUIRES_NEGOTIATE_AUTH. Not a security hole since this is a loopback scenario, but a small exception to our well-designed header authentication feature.