Thank you for your reply!
Yes, I thought about the header I added in my original rule might be the problem so I ran tests and captured the tcpdump. It does look like what you descripted.
GET /website.aspx HTTP/1.0
Authenticated: 1 Host: test.example.com
However, weird thing is it works for some requests. I would expect all request fail if that causes the problem.
Also, since the purpose of the rule is authenticate before sending request to the backend server, I can't insert a header before knowing the request is authenticated by checking the authentication response.
I tried to retry the original request without modification. My test rule (in my later post) just sends the request and retries it without any change. It fails too. I also tried sanitize all headers before the request was resent. It doesn't work either. Just not sure what "the request headers must be well-formed and complete" means now. If someone knows more about this, please help. Thank you!