We have a jenkins instance running behind Apache web server, which forces basic authentication for accessing Jenkins.
When using jnlp from a slave machine, then it works initially, because it uses provided basic authentication credentials. However at some point it stops working and in jenkins-slave.err.log this line is printed over and over again:
Oct 29, 2015 12:38:23 PM hudson.remoting.Engine waitForServerToBack
INFO: Master isn't ready to talk to us. Will retry again: response code=401
Looking at the Engine#waitForServerToBack (https://github.com/jenkinsci/remoting/blob/master/src/main/java/hudson/remoting/Engine.java#L365) code, I can see that it does not provide credentials to path /tcpSlaveAgentListener.
Although there's a comment at #run method (https://github.com/jenkinsci/remoting/blob/master/src/main/java/hudson/remoting/Engine.java#L185):
// TODO /tcpSlaveAgentListener is unprotected so why do we need to pass any credentials?
Reading this, It seems that Engine assumes that Jenkins is never placed behind firewalls and served directly to the public, which is not always the case, especially when Jenkins slaves are involved - they might be outside of Jenkins own network, thus firewalls/proxies are probably between them.
In other words - Engine should always provide credentials to every request, if they exist, because assumption of something being unprotected might be wrong.
PS! Same thing applies to proxy credentials, which are not provided in the #waitForServerToBack, but are provided in #run.