Yes this is the expected behaviour.
In Asp.Net 4.5 the HttpResponse.SuppressFormsAuthenticationRedirect Property has been added. But the default behaviour is still a redirect to the login page. From MSDN:
By default, forms authentication converts HTTP 401 status codes to 302 in order to redirect to the login page. This isn't appropriate for certain classes of errors, such as when authentication succeeds but authorization fails, or when the current request is an AJAX or web service request. This property provides a way to suppress the redirect behavior and send the original status code to the client.
You could use this property or try the following workaround from this answer:
protected void Application_EndRequest()
{
if (Context.Response.StatusCode == 302 && Context.Request.Headers["X-Requested-With"] == "XMLHttpRequest")
{
Context.Response.Clear();
Context.Response.StatusCode = 401;
}
}
Or you could take a look at this question and answers: Forms authentication: disable redirect to the login page and pick a method that suits you to return a 401.