Issue
If the user enters the wrong password, the return is set to forbidden. No retries are available and refreshing the page will just return forbidden automatically until the browser cache is cleared or after NTLM cache expires. Using v0.1.59.

Code is basic: sso.auth({forceNTLM=true}) as middleware on a route. Not using additional session style detail.

Steps to reproduce on client:

1. Browse to route/server page that has auth
2. Client is prompted for user/password (iOS 14.8 with Safari)
3. User types the wrong user or password in popup
4. Returned forbidden result:
   • Not able to retry (no multiple attempts)
   • Refreshing the page will still show forbidden (for a period of time)
   • Leaving page and returning will still show forbidden

Expected behavior
Goal would be to have multiple attempts option available. As well, if forbidden, ability to refresh the page should re-prompt for credentials.