--- mod_auth_ntlm_winbind.c	2008-05-10 11:40:47.000000000 +0200
+++ mod_auth_ntlm_winbind.c.oden	2009-03-22 13:32:33.000000000 +0100
@@ -951,6 +951,29 @@ static int check_user_id(request_rec * r
                                           : "Authorization");
     const char *auth_line2;
 
+#ifdef APACHE2
+    /*  ap_set_keepalive() does not check for
+	"Proxy-Connection: keep-alive", and therefore breaks NTLM auth
+	for the CONNECT proxying ("https" etc.) when a browser uses HTTP/1.0
+	for CONNECT (like IE6+ does).
+
+	An ugly work-around to fix it here:
+	When "CONNECT .... HTTP/1.0" without any "Connection: ..."
+	but with "Proxy-Connection: keep-alive", set "Connection: keep-alive"
+	manually (which will be successfully eaten by ap_set_keepalive() later)
+    */
+
+    if (r->method_number == M_CONNECT &&
+	r->proto_num == HTTP_VERSION(1,0) &&
+	!apr_table_get(r->headers_in, "Connection") &&
+	ap_find_token(r->pool,
+		    apr_table_get(r->headers_in, "Proxy-Connection"),
+		    "keep-alive") != 0
+    ) {
+	apr_table_mergen(r->headers_in, "Connection", "keep-alive");
+    }
+#endif
+
     /* Trust the authentication on an existing connection */
     if (ctxt->connected_user_authenticated && ctxt->connected_user_authenticated->user) {
         /* internal redirects cause this to get called more than once