Sending message with 401: Asp.net Web-api

Question

I am in asp.net web API. In login method I check the user/password against the db and if they do not match, I return 401 status code along with invalid user or password method like

var content = new StringContent("Invalid user name or password");
var message = new HttpResponseMessage(HttpStatusCode.Unauthorized);
message.Content = content;
throw new HttpResponseException(message);

But API seems to ignore my message and simply return some HTML like

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;} 
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;} 
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} 
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>

Why is that? How can I override this?

Answer 1

One potential cause of this response is the IIS web site being configured to allow Forms authentication. Look at this older but still valid post on configuring IIS to disable Forms authentication for the Web API.

Answer 2

I believe the response you are getting is from IIS and not from Web Api. If you want to handle the authentication process yourself within your API you need to tell IIS that anonymous access is allowed so that it will get out of the way.

Also, when you return a 401 you MUST return a www-authenticate header (see http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2). This tells the client what type of authentication is allowed.