Note: this behavior filed as Radar #21918904. I post this here for the benefit of others who may run into the same issue, or have advice for me to work around the problem elegantly.
A data task scheduled with NSURLSession to load from an HTTP Basic Auth protected resource will result in an authentication challenge callback on 10.10 with protectionSpace authenticationMethod "NSURLAuthenticationMethodDefault" while on 10.11 the same code (or importantly, precompiled binary) will result in a challenge that has authenticationMethod "NSURLAuthenticationMethodHTTPBasic".
It seems like it was a bug in 10.10 that NSURLAuthenticationMethodDefault was listed as the literal authenticationMethod, but now there is a problem becauses apps that relies upon testing NSURLSession authentication challenges for HTTP Basic on 10.10 must compare the challenge type with "default" while on 10.11 they must compare the challenge type with the more explicit HTTP Basic.
I can work around the problem by adding a special case to my own client code that changes the comparison based on OS release version, but is there some way Apple can finesse this so it works as expected for existing apps but also addresses the issue for the longer run?
Advice appreciated. Thanks!