diff --git a/x-pack/legacy/plugins/security/server/routes/api/v1/__tests__/authenticate.js b/x-pack/legacy/plugins/security/server/routes/api/v1/__tests__/authenticate.js
index 5e07ec7ee06182..5cea7c70b77811 100644
--- a/x-pack/legacy/plugins/security/server/routes/api/v1/__tests__/authenticate.js
+++ b/x-pack/legacy/plugins/security/server/routes/api/v1/__tests__/authenticate.js
@@ -34,7 +34,7 @@ describe('Authentication routes', () => {
 
     initAuthenticateApi({
       authc: { login: loginStub, logout: logoutStub },
-      config: { authc: { providers: ['basic'] } },
+      __legacyCompat: { config: { authc: { providers: ['basic'] } } },
     }, serverStub);
   });
 
diff --git a/x-pack/legacy/plugins/security/server/routes/api/v1/__tests__/users.js b/x-pack/legacy/plugins/security/server/routes/api/v1/__tests__/users.js
index 83dfa778f1b505..4077ab52e86de7 100644
--- a/x-pack/legacy/plugins/security/server/routes/api/v1/__tests__/users.js
+++ b/x-pack/legacy/plugins/security/server/routes/api/v1/__tests__/users.js
@@ -31,7 +31,7 @@ describe('User routes', () => {
     clusterStub = sinon.stub({ callWithRequest() {} });
     sandbox.stub(ClientShield, 'getClient').returns(clusterStub);
 
-    initUsersApi({ authc: { login: loginStub }, config: { authc: { providers: ['basic'] } } }, serverStub);
+    initUsersApi({ authc: { login: loginStub }, __legacyCompat: { config: { authc: { providers: ['basic'] } } } }, serverStub);
   });
 
   afterEach(() => sandbox.restore());
@@ -90,7 +90,7 @@ describe('User routes', () => {
         expect(response.isBoom).to.be(true);
         expect(response.output.payload).to.eql({
           statusCode: 403,
-          error: 'Unauthorized',
+          error: 'Forbidden',
           message: 'Something went wrong.'
         });
       });
diff --git a/x-pack/legacy/plugins/security/server/routes/api/v1/users.js b/x-pack/legacy/plugins/security/server/routes/api/v1/users.js
index 595182653fa231..d6dc39da657b12 100644
--- a/x-pack/legacy/plugins/security/server/routes/api/v1/users.js
+++ b/x-pack/legacy/plugins/security/server/routes/api/v1/users.js
@@ -96,19 +96,15 @@ export function initUsersApi({ authc: { login }, __legacyCompat: { config } }, s
       // If user tries to change own password, let's check if old password is valid first by trying
       // to login.
       if (isCurrentUser) {
-        try {
-          const authenticationResult = await login(KibanaRequest.from(request), {
-            provider: providerToLoginWith,
-            value: { username, password },
-            // We shouldn't alter authentication state just yet.
-            stateless: true,
-          });
+        const authenticationResult = await login(KibanaRequest.from(request), {
+          provider: providerToLoginWith,
+          value: { username, password },
+          // We shouldn't alter authentication state just yet.
+          stateless: true,
+        });
 
-          if (!authenticationResult.succeeded()) {
-            return Boom.unauthorized(authenticationResult.error);
-          }
-        } catch(err) {
-          throw Boom.forbidden(err);
+        if (!authenticationResult.succeeded()) {
+          return Boom.forbidden(authenticationResult.error);
         }
       }
 
diff --git a/x-pack/test/api_integration/apis/security/change_password.ts b/x-pack/test/api_integration/apis/security/change_password.ts
index f6ddc2a724c39a..836fa5e9cf4d15 100644
--- a/x-pack/test/api_integration/apis/security/change_password.ts
+++ b/x-pack/test/api_integration/apis/security/change_password.ts
@@ -39,7 +39,7 @@ export default function({ getService }: FtrProviderContext) {
         .set('kbn-xsrf', 'xxx')
         .set('Cookie', sessionCookie.cookieString())
         .send({ password: wrongPassword, newPassword })
-        .expect(401);
+        .expect(403);
 
       // Let's check that we can't login with wrong password, just in case.
       await supertest