Should not perform negotiate authentication with proxies unless proxy sends "Proxy-support: Session-Based-Authentication" header
RFC 4559, section 6 says:
If an HTTP proxy is used between the client and server, it must take care to not share authenticated connections between different authenticated clients to the same server. If this is not honored, then the server can easily lose track of security context associations. A proxy that correctly honors client to server authentication integrity will supply the "Proxy-support: Session- Based-Authentication" HTTP header to the client in HTTP responses from the proxy. The client MUST NOT utilize the SPNEGO HTTP authentication mechanism through a proxy unless the proxy supplies this header with the "401 Unauthorized" response from the server.
I don't believe that has been implemented, which could be a disaster if anyone is unfortunate enough to combine HTTP proxies with Kerberos or NTLM.