Many thanks Stefan,
I'll take a further look tonight, as I've got some of my own patches to push, but both commits look pretty good from my initial review - apart from one query (see below) and a very minor code style typo with pointers ;-)
Do you think the failure check of Curl_convert_UTF8_to_tchar() should return CURL_OUT_OF_MEMORY rather than CURL_LOGIN_DENIED like we do in other calls to Curl_convert_UTF8_to_tchar() as well as memory allocs/string dups in other authentication message functions?
sasl_sspi: fixed unicode build for digest authentication
sasl_sspi: fix identity memory leak in digest authentication
I ran checksrc.pl and it didn't complain...
The CURLE_LOGIN_DENIED was a copy&paste mistake, I changed it to CURLE_OUT_OF_MEMORY, which should be appropriate afaics in this situation.
Pushed as commit b6baa10. I simplified the cast around Curl_convert_UTF8_to_tchar() as we have done in other calls to this function when we have a const char pointer.
Pushed as commit 077fd8f but moved a couple of the calls to after we have freed the credentials handle - to be consistent with other code that does the same.