Hi Vlad
In rereading your request - this isn't exactly what you are after - but I will leave it hear since it is related and may be useful to others looking at similar topic.
Generally for backend WWW Authentication :
The setting you want on the proxyrules.xml file is :
<forward connection-auth="yes">http://backend.example.com$0</forward>
This will then propagate the normal HTML authenticate headers straight through as normal proxied request.
Description of what happens:
The reason you need the extra setting is because of the way NTLM authentication works. When NTLM is used then NTLM autheticates the "connection" as belonging to the user. So any other requests going down that socket to the backend are considered as also being from the same (authenticated) user.
Obviously that is a real problem for a proxy if you are trying to run a pool of connections to the backend and want to pass different requests from different users along the same pool of connections. Adding connection-auth="yes" means it will not use the normal backend pool of connections, but will use the connection oriented pool, which maintains individual sockets per authenticated user :
<connection-pool name="connection oriented authentication">
connection-timeout="10 seconds"
max-size="200"
enabled="yes"
</connection-pool>
Cheers - Mark