From my understanding, this is hard/impossible to implement with the current API surface for extensions.
PAW would become an even better tool if you could support NTLM negotiated authentication mechanisms, even more so if Kerberos (perhaps with an explicit ticket being sourced elsewhere, or maybe just from macOS's klist by default)
To clarify the lacking API surface, there is no concept of an ephemeral request (so that multiple negotiate request/responses can be created to setup the authentication content)
From my understanding, this is hard/impossible to implement with the current API surface for extensions.
PAW would become an even better tool if you could support NTLM negotiated authentication mechanisms, even more so if Kerberos (perhaps with an explicit ticket being sourced elsewhere, or maybe just from macOS's
klist
by default)