This might be a specific issue and I will try to explain it as efficiently as possible.
We have a REST API service set up on IIS 10 on a Windows 2016 server registered in DOMAIN-1. The providers are set to use NTLM and Negotiate. If I set the Authorization in SOAPUI to use NTLM and the credentials of a domain user in DOMAIN-1, authentication works. However, if I use credentials of a user in DOMAIN-2, I get a 401.
The kicker is here: browsing to the endpoint using any browser works, as well as switching off Authorization from SOAPUI and configuring Burp Suite to act as a local proxy and NTLMv2 and DOMAIN-2 user credentials to connect to the endpoint. The problem seems specific to the NTLM auth method being used in SOAPUI, perhaps related to httpclient 4.1.1?
Finally, I have access to the server and examined event logs related to the success and failed logins. The failed logs have a substatus of "0xC000006A", possibly meaning "user name is correct but the password is wrong". It is for sure not a typo.
I also tried to examine the NTLM challenges and responses using wireshark but I cannot understand why only the DOMAIN-1 users are working using SOAPUI.
Pre-emptive auth is unchecked.
In my research I have seen some issues with httpclient 4.1.1 - could it be related to this?