Currently the authentication stack does not automatically redirect unauthenticated clients, rather it returns a 401. This is nominally ok for browser because the user can back track, use the login button, authenticate, and then return to the authenticated resource. This does not work for programmatic clients like 'curl' or applications that utilize the 'netcdf' library. These applications expect to get the 401 response only from the location against which they will authenticate.
Fix It Please.