diff -u negotiate/auth_scheme.cc ntlm/auth_scheme.cc
--- negotiate/auth_scheme.cc	2011-12-17 03:03:40.182737382 +0100
+++ ntlm/auth_scheme.cc	2011-12-17 03:02:53.674826465 +0100
@@ -266,28 +260,6 @@
     return -2;
 }
 
-/* add the [proxy]authorisation header */
-void
-AuthSCHEMEUserRequest::addHeader(HttpReply * rep, int accel)
-{
-    http_hdr_type type;
-
-    if (!server_blob)
-        return;
-
-    /* don't add to authentication error pages */
-
-    if ((!accel && rep->sline.status == HTTP_PROXY_AUTHENTICATION_REQUIRED)
-            || (accel && rep->sline.status == HTTP_UNAUTHORIZED))
-        return;
-
-    type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO;
-
-    httpHeaderPutStrf(&rep->header, type, "SCHEME %s", server_blob);
-
-    safe_free(server_blob);
-}
-
 void
 AuthSCHEMEConfig::fixHeader(AuthUserRequest *auth_user_request, HttpReply *rep, http_hdr_type type, HttpRequest * request)
 {
@@ -328,17 +300,7 @@
             /* Special case: authentication finished OK but disallowed by ACL.
              * Need to start over to give the client another chance.
              */
-
-            if (scheme_request->server_blob) {
-                debugs(29, 9, "authenticateSCHEMEFixErrorHeader: Sending type:" << type << " header: 'SCHEME " << scheme_request->server_blob << "'");
-                httpHeaderPutStrf(&rep->header, type, "SCHEME %s", scheme_request->server_blob);
-                safe_free(scheme_request->server_blob);
-            } else {
-                debugs(29, 9, "authenticateSCHEMEFixErrorHeader: Connection authenticated");
-                httpHeaderPutStrf(&rep->header, type, "SCHEME");
-            }
-
-            break;
+            /* fall through */
 
         case AUTHENTICATE_STATE_NONE:
             /* semantic change: do not drop the connection.
@@ -373,7 +335,7 @@
     authenticateStateData *r = static_cast<authenticateStateData *>(data);
 
     int valid;
-    char *blob, *arg = NULL;
+    char *blob;
 
     AuthUserRequest *auth_user_request;
     AuthUser *auth_user;
@@ -419,17 +381,11 @@
     /* seperate out the useful data */
     blob = strchr(reply, ' ');
 
-    if (blob) {
+    if (blob)
         blob++;
-        arg = strchr(blob + 1, ' ');
-    } else {
-        arg = NULL;
-    }
 
     if (strncasecmp(reply, "TT ", 3) == 0) {
         /* we have been given a blob to send to the client */
-        if (arg)
-            *arg++ = '\0';
         safe_free(scheme_request->server_blob);
         scheme_request->request->flags.must_keepalive = 1;
         if (scheme_request->request->flags.proxy_keepalive) {
@@ -439,28 +395,15 @@
             debugs(29, 4, "authenticateSCHEMEHandleReply: Need to challenge the client with a server blob '" << blob << "'");
         } else {
             scheme_request->auth_state = AUTHENTICATE_STATE_FAILED;
-            auth_user_request->denyMessage("NTLM authentication requires a persistent connection");
+            auth_user_request->denyMessage("SCHEME authentication requires a persistent connection");
         }
-    } else if (strncasecmp(reply, "AF ", 3) == 0 && arg != NULL) {
+    } else if (strncasecmp(reply, "AF ", 3) == 0) {
         /* we're finished, release the helper */
-
-        if (arg)
-            *arg++ = '\0';
-
-        scheme_user->username(arg);
-
+        scheme_user->username(blob);
         auth_user_request->denyMessage("Login successful");
-
         safe_free(scheme_request->server_blob);
 
-        scheme_request->server_blob = xstrdup(blob);
-
-        authenticateSCHEMEReleaseServer(scheme_request);
-
-        scheme_request->auth_state = AUTHENTICATE_STATE_DONE;
-
         debugs(29, 4, "authenticateSCHEMEHandleReply: Successfully validated user via SCHEME. Username '" << blob << "'");
-
         /* connection is authenticated */
         debugs(29, 4, "AuthSCHEMEUserRequest::authenticate: authenticated user " << scheme_user->username());
         /* see if this is an existing user with a different proxy_auth
@@ -487,23 +430,12 @@
         local_auth_user->expiretime = current_time.tv_sec;
         authenticateSCHEMEReleaseServer(scheme_request);
 	scheme_request->auth_state = AUTHENTICATE_STATE_DONE;
-
-    } else if (strncasecmp(reply, "NA ", 3) == 0 && arg != NULL) {
+    } else if (strncasecmp(reply, "NA ", 3) == 0) {
         /* authentication failure (wrong password, etc.) */
-
-        if (arg)
-            *arg++ = '\0';
-
-        auth_user_request->denyMessage(arg);
-
+        auth_user_request->denyMessage(blob);
         scheme_request->auth_state = AUTHENTICATE_STATE_FAILED;
-
         safe_free(scheme_request->server_blob);
-
-        scheme_request->server_blob = xstrdup(blob);
-
         authenticateSCHEMEReleaseServer(scheme_request);
-
         debugs(29, 4, "authenticateSCHEMEHandleReply: Failed validating user via SCHEME. Error returned '" << blob << "'");
     } else if (strncasecmp(reply, "BH ", 3) == 0) {
         /* TODO kick off a refresh process. This can occur after a YR or after
diff -u negotiate/auth_scheme.h ntlm/auth_scheme.h
--- negotiate/auth_scheme.h	2011-12-17 03:03:40.182737382 +0100
+++ ntlm/auth_scheme.h	2011-12-17 03:02:53.674826465 +0100
@@ -67,8 +67,6 @@
 
     virtual const AuthUser *user() const {return _theUser;}
 
-    virtual void addHeader(HttpReply * rep, int accel);
-
     virtual void user (AuthUser *aUser) {_theUser=dynamic_cast<SCHEMEUser *>(aUser);}
 
     virtual const char * connLastHeader();