I think it might be a bug in URLConnection. Try the workaround from this similar problem: Unable to access a password protected page
If the original request did not contain valid credentials then the server will respond with 401.The client should prompt the user for their credentials (e.g. in the AuthenticationRequested event) and repeat the request. URLConnection appears to be doing this part correctly, however the error result of the original request is persisting and we never see the second request’s success.
The workaround linked above sets the credentials on the original request.