I tend to forget some simple things I just don’t use that often.
For bigger HTTP debugging “jobs” I am using Fiddler, as most of us do. So, if you want to forge a new HTTP request in Composer and see something like this (401 in the lines 14-21) :
You clearly need to check Automatically Authenticate in Composer Options tab.
So what do we see here. This is a random session on my dev box. My browser undergo 401 challenge in the step 1 and 2. From there, everything had 200 because we are authenticated. This is done by the browser, “automagically”. I drag and dropped POST request on position 12 to Composer and not checked Automatically Authenticate (I forgot to) and I got all those nice 401s from 14 to 21.
Please note, that even if you drag and drop some request from browser that got 200 from IIS, the Fiddler will not get 200 also. Fiddler is for IIS just another client, just replaying the very same request will not make it authenticated. This is by design, not a bug.
All requests from that point will get 200.
Hope this helps.