Although hfs might work with most browsers, authentication won't work when behind a MS ISA 2004 firewall. The cause: Firewall proxy rewrites headers so that there is more than one blank between colon and value.
function ThttpConn.getHeader in hslib.pas should be able to strip more than one blank after the header name.
if compareText(chop(':',l), h) = 0 then
begin
if (l>'') and (l[1]=' ') then delete(l,1,1);
result:=l;
exit;
end;
better use something like this:
while (l>'') and (l[1]=' ') do begin delete(l,1,1); end;