Custom OWIN response code for expired token

We have an OWIN Web Api 2 site that requires both OAuth2 security and Windows Integrated Security.

The problem is that when access tokens expire. Owin returns 401 unauthorized responses. This will cause the browser to open the login window. This is because there are XXX-Authenticate headers with Negotiate and NTLM values. Also one with a carrier

But if we disable Windows Integrated Security in IIS, then it does not have these headers, but only XXX-Authenticate: Bearer, and therefore the browser does not open the login window.

On the client side, we want to catch the error code when the token has expired and then update the access token. This does work, except for the browser's ugly popup asking for ID and password.

But for this application, we need to have both types of mixed authentication.

The solution seems to be to send a different http status code for the expired tokens so that the browser doesn't show up in the login window and we can still catch this code on the client.

However, I'm not sure how to do this with OWIN.

I have registered the average wear method at the top of the stack to look at and change the response code, but when the token has expired it seems to return 200 from OWIN, but will somehow change to 401 when sent to the client.

How do I change the status code returned only for expired tokens?