I have an ASP.NET MVC application, with some RESTful services that I'm trying to secure using custom basic authentication (they are authenticated against my own database). I have implemented this by writing an HTTPModule.

I have one method attached to the HttpApplication.AuthenticateRequest event, which calls this method in the case of authentication failure:

    private static void RejectWith401(HttpApplication app)
    {
        app.Response.StatusCode = 401;
        app.Response.StatusDescription = "Access Denied";
        app.CompleteRequest();
    }

This method is attached to the HttpApplication.EndRequest event:

    public void OnEndRequest(object source, EventArgs eventArgs)
    {
        var app = (HttpApplication) source;
        if (app.Response.StatusCode == 401)
        {
            string val = String.Format("Basic Realm=\"{0}\"", "MyCustomBasicAuthentication");
            app.Response.AppendHeader("WWW-Authenticate", val);
        }
    }

This code adds the "WWW-Authenticate" header which tells the browser to throw up the login dialog. This works perfectly when I debug locally using Visual Studio's web server. But it fails when I run it in IIS7.

For IIS7 I have the built-in authentication modules all turned off, except anonymous. It still returns an HTTP 401 response, but it appears to be removing the WWW-Authenticate header.

Any ideas?