diff --git a/libs/sofia-sip/libsofia-sip-ua/iptsec/auth_client.c b/libs/sofia-sip/libsofia-sip-ua/iptsec/auth_client.c
index 8a1c0f07ae..a2e2c19220 100644
--- a/libs/sofia-sip/libsofia-sip-ua/iptsec/auth_client.c
+++ b/libs/sofia-sip/libsofia-sip-ua/iptsec/auth_client.c
@@ -185,6 +185,10 @@ int ca_challenge(auth_client_t *ca,
 
   if (ca->ca_auc->auc_challenge)
     stale = ca->ca_auc->auc_challenge(ca, ch);
+
+  if (AUTH_CLIENT_IS_EXTENDED(ca))
+	  ca->ca_clear = 0;
+
   if (stale < 0)
     return -1;
 
@@ -863,7 +867,7 @@ static int auc_digest_challenge(auth_client_t *ca, msg_auth_t const *ch)
 
   stale = ac->ac_stale || cda->cda_ac->ac_nonce == NULL;
 
-  if (ac->ac_qop && (cda->cda_cnonce == NULL || ac->ac_stale)) {
+  if (ac->ac_qop && (cda->cda_cnonce == NULL || ac->ac_stale || ca->ca_clear )) {
     su_guid_t guid[1];
     char *cnonce;
     size_t b64len = BASE64_MINSIZE(sizeof(guid)) + 1;
diff --git a/libs/sofia-sip/libsofia-sip-ua/nua/nua_client.c b/libs/sofia-sip/libsofia-sip-ua/nua/nua_client.c
index 98b80fc938..d9d09536ac 100644
--- a/libs/sofia-sip/libsofia-sip-ua/nua/nua_client.c
+++ b/libs/sofia-sip/libsofia-sip-ua/nua/nua_client.c
@@ -1178,6 +1178,14 @@ int nua_base_client_check_restart(nua_client_request_t *cr,
     }
   }
 
+  if (status == 403) {
+	  if (nh->nh_auth) {
+		  /* Bad username/password */
+		  SU_DEBUG_7(("nua(%p): bad credentials, clearing them\n", (void *)nh));
+		  auc_clear_credentials(&nh->nh_auth, NULL, NULL);
+	  }
+  }
+
   if ((status == 401 && sip->sip_www_authenticate) ||
       (status == 407 && sip->sip_proxy_authenticate)) {
     int server = 0, proxy = 0;
@@ -1197,7 +1205,11 @@ int nua_base_client_check_restart(nua_client_request_t *cr,
 
       cr->cr_challenged = 1;
 
-      if (!invalid && auc_has_authorization(&nh->nh_auth)) {
+      if (invalid) {
+		  /* Bad username/password */
+		  SU_DEBUG_7(("nua(%p): bad credentials, clearing them\n", (void *)nh));
+		  auc_clear_credentials(&nh->nh_auth, NULL, NULL);
+      } else if (auc_has_authorization(&nh->nh_auth)) {
 		  return nua_client_restart(cr, 100, "Request Authorized by Cache");
 	  }
 
@@ -1209,7 +1221,7 @@ int nua_base_client_check_restart(nua_client_request_t *cr,
       cr->cr_status = 0, cr->cr_phrase = NULL;
       nua_client_request_unref(cr);
 
-      return !invalid;
+      return 1;
     }
   }
   /* GriGiu : RFC-3261 status supported Retry-After */