diff --git a/src/routes/accesscontrol.js b/src/routes/accesscontrol.js
index 4d4059223..8734693f7 100644
--- a/src/routes/accesscontrol.js
+++ b/src/routes/accesscontrol.js
@@ -32,7 +32,7 @@ function initialize(callback) {
     // deserialize user from session
     passport.deserializeUser(function(userId, callback) {
         users.get(userId, function (error, result) {
-            if (error) return callback(error);
+            if (error) return callback(null, null /* user */, error.message); // will end up as a 401. can happen if user with active session got deleted
 
             callback(null, result);
         });