Well, I ended up just hashing the password on the client side before it was submitted in the ChallengeResponse. Feels a bit nasty as it is not ideal to have to reimplement the hashing algorithm in any clients that need to use the API.
------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2689284
