Consistent Integration with Host Security
The host integration plumbing should be consisten when copying host established client identity to WebAPI.
The logic should be:
- If the host has established a client identity, copy it to the request message.
- If not, set up an anonymous principal.
Currently, in web hosting the client id is always copied, in self hosting only for windows auth.
This will lead to situations where HttpRequestMessage.GetUserPrincipal() returns null.

We now consistently use Threat.CurrentPrincipal as the contract between ASP.NET Web API and the host.