If you throw an HttpException with the error code 401 from a controller action, an http 500 error is sent to the user instead of the 401 originally thrown. This is an issue with the mvc it self and the only way to work around is setting the http status code rather than throwing the exceprion. if (!HttpContext.User.Iden ...
If you ever noticed that returnUrl variable has a url encoded and non-encoded versions of the same url, it's actually how it works and nothing is wrong with that. For more info http://blogs.msdn.com/b/vijaysk/archive/2008/01/24/anatomy-of-forms-authentication-return-url.aspx