How To Let Proxy Users Specify Alternate Credentials with Forefront TMG 2010

You’re using Forefront Threat Management Gateway 2010 (a.k.a. TMG 2010) as a proxy server and want users to be prompted for credentials in order to access the Internet, but discover the default behavior is to have the browser display a “Denied Access” message (Error 502).  Is there a way to make this work?  Of course,…