Due to some unfortunate mechanisms buried deep in ASP.NET, setting Thread.CurrentPrincipal in Web API web hosting is not enough.
When hosting in ASP.NET, Thread.CurrentPrincipal might get overridden with HttpContext.Current.User when creating new threads. This means you have to set the principal on both the thread and the HTTP context. See here.
<rant>Oh well, can’t tell you how much I think that sucks. It is not the Web API guys fault – just a good example of why the design around HttpContext.User was completely flawed to start with.</rant>