diff --git a/net/tshttpproxy/tshttpproxy.go b/net/tshttpproxy/tshttpproxy.go
index 98f67a31a..07ce492f0 100644
--- a/net/tshttpproxy/tshttpproxy.go
+++ b/net/tshttpproxy/tshttpproxy.go
@@ -71,10 +71,6 @@ func GetAuthHeader(u *url.URL) (string, error) {
 	if fake := os.Getenv("TS_DEBUG_FAKE_PROXY_AUTH"); fake != "" {
 		return fake, nil
 	}
-	if sysAuthHeader != nil {
-		return sysAuthHeader(u)
-	}
-
 	if user := u.User.Username(); user != "" {
 		pass, ok := u.User.Password()
 		if !ok {
@@ -85,7 +81,9 @@ func GetAuthHeader(u *url.URL) (string, error) {
 		req.SetBasicAuth(user, pass)
 		return req.Header.Get("Authorization"), nil
 	}
-
+	if sysAuthHeader != nil {
+		return sysAuthHeader(u)
+	}
 	return "", nil
 }
 
diff --git a/net/tshttpproxy/tshttpproxy_test.go b/net/tshttpproxy/tshttpproxy_test.go
index 2b3d40beb..350068bd9 100644
--- a/net/tshttpproxy/tshttpproxy_test.go
+++ b/net/tshttpproxy/tshttpproxy_test.go
@@ -2,48 +2,52 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build !windows
-
 package tshttpproxy
 
 import (
 	"net/url"
+	"runtime"
+	"strings"
 	"testing"
 )
 
 func TestGetAuthHeaderNoResult(t *testing.T) {
-	const proxyURL = `http://127.0.0.1:38274`
+	const proxyURL = "http://127.0.0.1:38274"
 
 	u, err := url.Parse(proxyURL)
 	if err != nil {
 		t.Fatalf("can't parse %q: %v", proxyURL, err)
 	}
 
-	ahval, err := GetAuthHeader(u)
+	got, err := GetAuthHeader(u)
 	if err != nil {
 		t.Fatalf("can't get auth header value: %v", err)
 	}
 
-	if ahval != "" {
-		t.Fatalf("wanted auth header value to be empty, got: %q", ahval)
+	if runtime.GOOS == "windows" && strings.HasPrefix(got, "Negotiate") {
+		t.Logf("didn't get empty result, but got acceptable Windows Negotiate header")
+		return
+	}
+	if got != "" {
+		t.Fatalf("GetAuthHeader(%q) = %q; want empty string", proxyURL, got)
 	}
 }
 
 func TestGetAuthHeaderBasicAuth(t *testing.T) {
-	const proxyURL = `http://user:password@127.0.0.1:38274`
-	const expect = `Basic dXNlcjpwYXNzd29yZA==`
+	const proxyURL = "http://user:password@127.0.0.1:38274"
+	const want = "Basic dXNlcjpwYXNzd29yZA=="
 
 	u, err := url.Parse(proxyURL)
 	if err != nil {
 		t.Fatalf("can't parse %q: %v", proxyURL, err)
 	}
 
-	ahval, err := GetAuthHeader(u)
+	got, err := GetAuthHeader(u)
 	if err != nil {
 		t.Fatalf("can't get auth header value: %v", err)
 	}
 
-	if ahval != expect {
-		t.Fatalf("wrong auth header value: want: %q, got: %q", expect, ahval)
+	if got != want {
+		t.Fatalf("GetAuthHeader(%q) = %q; want %q", proxyURL, got, want)
 	}
 }