I've discovered a resource leak in Http authentication process on Windows, when Negotiate method is used. It manifests itself as a slow memory leak in lsass.exe process. Every time a Negotiate authentication is performed a handle to client credentials and a handle to security context are leaked. The direct reason for it is that dispose() method from WindowsNegotiateScheme class is never called.
As far I understand the interaction between HttpAuthenticator and WindowsNegotiateScheme, it is caused by HttpAuthenticator not processing final authentication header, as it goes directly to the SUCCESS state. Without processing final authentication header, WindowsNegotiateScheme class doesn't have a chance to complete security context initialisation. which is the cause for not releasing OS resources.