The problem is that in the HTTPS capture, the type 3 (authenticate) is sent in a different connection from the type 2 (challenge).
In the HTTP capture, type 1 (negotiate), type 2 (challenge), type 3 (authenticate) all occur in the same connection. This is how NTLM is supposed to work.
In the screenshots below, I color coded the connections (ctrl+1-9 in wireshark).
If needed you could bypass based on the user-agent (AHC/1.0) or destination (postman-echo.com).
Thank you very much, Jon.
That's the problem. Grizzly verifies that the keep-alive is not present in the response so it creates a new connection. Shouldn't the keep-alive be included in the challenge message?