It seems as if HTTPCredentials only supports one scheme and authinfo.
However, the HTTP spec RFC 2616 allows multiple WWW-authenticate headers and/or multiple challenges.
The WWW-Authenticate response-header field MUST be included in 401
(Unauthorized) response messages. The field value consists of at
least one challenge that indicates the authentication scheme(s) and
parameters applicable to the Request-URI.
WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge
The HTTP access authentication process is described in "HTTP
Authentication: Basic and Digest Access Authentication" . User
agents are advised to take special care in parsing the WWW-
Authenticate field value as it might contain more than one challenge,
or if more than one WWW-Authenticate header field is provided, the
contents of a challenge itself can contain a comma-separated list of
Only looking at the first WWW-Authenticate header would cause Poco to fail when a server, e.g., on a Microsoft OS, sends one of its proprietary schemes (e.g., NTLM) as first entry and Basic or Digest scheme as additional challenges.