Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Troubleshooting HTTP 401 errors in IIS


IIS Support Voice column

To customize this column to your needs, we want to invite you to submit your ideas about topics that interest you and issues that you want to see addressed in future Knowledge Base articles and Support Voice columns. You can submit your ideas and feedback using the Ask For It form. There's also a link to the form at the bottom of this column.

↑ Back to the top


Hello. My name is Lou Prete. I have been supporting Microsoft Internet Information Services (IIS) for the past five years and have been IIS content lead for the past two years.

HTTP 401 errors are among the most common errors you may have to deal with in IIS. While the causes for these errors can vary greatly, the causes fall into a finite number of categories. Correctly identifying the category of the cause for your HTTP 401 error can decrease the amount of time needed to identify the root cause of the error.

This article describes the troubleshooting steps when you encounter HTTP 401.x errors (401.1, 401.2, 401.3, 401.4, 401.5) in Microsoft Internet Information Services (IIS):

↑ Back to the top


Troubleshooting steps

For IIS 6.0 or the later versions of IIS 6.0

Starting in IIS 6.0, the substatus code is logged in the
Web logs. The Web logs are located in the following location:
%SYSTEMROOT%\System32\LogFiles\W3SVC###\
In the Web logs, the last three numbers in each entry represent
the status, the substatus, and the Win32 status.
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-Sub-status sc-win32-status2006-03-06 20:37:42 W3SVC1 192.168.1.101 GET /default.aspx - 80 - 192.168.17.45 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 2 21480742542006-03-06 20:37:42 W3SVC1 192.168.1.101 GET /default.aspx - 80 - 192.168.17.45 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 401 1 02006-03-06 20:38:36 W3SVC1 192.168.1.101 GET /default.aspx - 80 DOMAIN\user 192.168.17.45 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1) 200 0 0

For the earlier versions of IIS 6.0
In versions of IIS earlier than IIS 6.0, the substatus code is not logged in the Web logs. In these cases (or in cases where you don't have access to the Web logs), you can use the information sent back to the browser. In Microsoft Internet Explorer, you will have to disable the Show
Friendly HTTP Error messages
setting. With this change, you should see
an error page similar to the one below. In this case, we got an HTTP 401.2
error, and the page even gives a brief description of what the error
means:
You are not authorized to view this
page

You do not have permission to view this directory or page using
the credentials that you supplied because your Web browser is sending a
WWW-Authenticate header field that the Web server is not configured to
accept.

Please try the following:
Contact the Web site
administrator if you believe you should be able to view this directory or
page.
Click the Refresh button to try again with different
credentials.

HTTP Error 401.2 - Unauthorized: Access is denied due to
server configuration. Internet Information Services (IIS)

Technical
Information (for support personnel)
Go to Microsoft Product Support
Services and perform a title search for the words HTTP and 401.
Open IIS
Help, which is accessible in IIS Manager (inetmgr), and search for topics
titled About Security, Authentication, and About Custom Error
Messages.


Note You can also use tools to gather substatus codes, such as WFetch and Network Monitor.


Once you know the HTTP substatus code, focus on issues related to
that particular substatus. All others can be ignored.

HTTP 401.1: Denied by invalid user credentials

Description
IIS failed to log on a user to execute the request. All
requests must be associated with a user, even if the request is
anonymous.

Common reasons
  • The wrong user name or password is provided. Identify the
    user who failed to log on, and correct the user name or password.
  • Kerberos authentication fails.
    For more information, click the
    following article number to view the article in the Microsoft Knowledge Base:
    326985 How to troubleshoot Kerberos-related issues in IIS

    Other useful Kerberos articles are as
    follows:
    871179 You receive an "HTTP Error 401.1 -
    Unauthorized: Access is denied due to invalid credentials" error message when
    you try to access a Web site that is part of an IIS 6.0 application pool

  • The local or domain policy or the user rights assignment
    prevents the user from accessing the server. If the server is configured to
    audit logon failures, there may be additional information in the Security log.
    Refer to the following articles for the required user rights:
    812614 Default permissions and user rights for IIS 6.0

    271071 How to set required NTFS permissions and user rights for an IIS 5.0 Web server

    832981 Users cannot access Web sites when the security event log is full

    300549 How to enable and apply security auditing in Windows 2000

  • This error may also occur when anonymous access is
    configured. This may occur if the user name or password for the anonymous
    account that is stored in the IIS metabase differs from the actual information
    stored in the local user database (or the Active Directory directory service,
    if a domain account is used). Resetting the password for the account and in IIS
    resolves this problem.
  • After you upgrade a server running IIS 5.0 to IIS 6.0, IIS
    is running in IIS 5.0 compatibility mode. Once the server is switched to IIS
    6.0 isolation mode, you may see HTTP 401.1 errors on anonymous requests. This
    occurs because of IIS 5.0 anonymous password synchronization. To resolve this
    problem, set the AnonymousPasswordSync metabase key to false, and reset the anonymous user's password for the account and in
    IIS.
  • For more
    information about this error, click the following article numbers to view the
    articles in the Microsoft Knowledge Base:
    896861 You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6

    304201 Cannot access Web sites or cannot start IIS services that run under non-local system account and use Windows authentication with IIS

    263140 Anonymous and Basic authentication fail when you connect to IIS 5.0 on a domain controller

HTTP 401.2: Denied by server configuration

Description
The client browser and IIS could not agree on an
authentication protocol.

Common reasons
  • No authentication protocol (including anonymous) is
    selected in IIS. At least one authentication type must be selected.
    For more information, click the following article
    number to view the article in the Microsoft Knowledge Base:
    253667 Error message: HTTP 401.2 - Unauthorized: Logon failed due to server configuration with no authentication

  • Only Integrated authentication is enabled, and an older,
    non-Internet Explorer client browser tries to access the site. This happens
    because the client browser cannot perform Integrated authentication. To resolve
    this problem, use one of the following methods:
    • Configure IIS to accept Basic authentication. This
      should only occur over SSL for security purposes.
    • Use a client browser that can perform Integrated
      authentication. Internet Explorer and new versions of Netscape Navigator and
      Mozilla Firefox can perform Integrated authentication.
  • Integrated authentication is through a proxy. This happens
    because the proxy doesn't maintain the NTLM-authenticated connection and thus
    sends an anonymous request from the client to the server. Options to resolve
    this problem are as follows:
    • Configure IIS to accept Basic authentication. This
      should only occur over SSL for security purposes.
    • Don't use a proxy.

HTTP 401.3: Denied by resource ACL

Description
This error is returned when the user successfully
authenticated to the server, but the user does not have NTFS permissions to the
content requested.

Common solutions
  • Set the NTFS permissions correctly on the content. Review
    the "NTFS Permissions" section in the following articles:
    812614 Default permissions and user rights for IIS 6.0

    271071 How to set required NTFS permissions and user rights for an IIS 5.0 Web server

  • Verify that the correct authentication method is set. For
    example, when you use Integrated authentication, users are not prompted for
    authentication credentials. In this instance, it may be unclear if the request
    is authenticating or not.
  • If the content is located on a remote share, verify that
    users have sufficient NTFS and Share permissions.
    For more information,
    click the following article number to view the article in the Microsoft
    Knowledge Base:
    332142 NTLM requests for content on UNC share may be returned with 401 error messages

HTTP 401.4: Denied by custom ISAPI filter

Description
An ISAPI filter loaded denied the request.

Solution
Identify which ISAPI filter denied the request, and
contact the developer or vendor to determine a solution.

HTTP 401.5: Denied by custom ISAPI/CGI Web application

Description
An ISAPI extension or CGI application denied the
request.

Solution
Identify which ISAPI extension or CGI application denied
the request, and contact the developer or vendor to determine a solution.
In summary, when you troubleshoot HTTP 401 errors, the first step should always be to determine the substatus code.

  • 401.1: Authentication was attempted, but failed.
  • 401.2: Authentication was not attempted because the server
    and client could not agree on an authentication protocol.
  • 401.3: Authentication was successful, but the account that
    authenticated does not have sufficient permissions to access the requested
    resource or content.
  • 401.4: An ISAPI filter denied the request.
  • 401.5: An ISAPI extension or CGI application denied the
    request.

↑ Back to the top


Useful tools and resources

  • WFetch
    284285 How to use Wfetch.exe to troubleshoot HTTP connections

  • Network Monitor
    148942 How to capture network traffic with Network Monitor

  • Auditing/Security log
    300549 How to enable and apply security auditing in Windows 2000

Third-party solution disclaimer

The information and the solution in this document represent the current view of Microsoft Corporation on these issues as of the date of publication. This solution is available through Microsoft or a third-party provider. We do not specifically recommend any third-party provider or third-party solution that this article might describe. There might also be other third-party providers or third-party solutions that this article does not describe. Because we must respond to changing market conditions, this information should not be interpreted as a commitment by Microsoft. We cannot guarantee or endorse the accuracy of any information or of any solution that is presented by Microsoft or by any mentioned third-party provider.

Microsoft makes no warranties and excludes all representations, warranties, and conditions whether express, implied, or statutory. These include but are not limited to representations, warranties, or conditions of title, non-infringement, satisfactory condition, merchantability, and fitness for a particular purpose, with regard to any service, solution, product, or any other materials or information. In no event will Microsoft be liable for any third-party solution that this article mentions.Until next time, thank you for your time, and have a great day. As always, feel free to submit ideas on topics you want addressed in future columns or in the Knowledge Base using the Ask For It form.

↑ Back to the top


Community solutions content disclaimer

Microsoft corporation and/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. All such information and related graphics are provided "as is" without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information and related graphics, including all implied warranties and conditions of merchantability, fitness for a particular purpose, workmanlike effort, title and non-infringement. You specifically agree that in no event shall Microsoft and/or its suppliers be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever including, without limitation, damages for loss of use, data or profits, arising out of or in any way connected with the use of or inability to use the information and related graphics contained herein, whether based on contract, tort, negligence, strict liability or otherwise, even if Microsoft or any of its suppliers has been advised of the possibility of damages.

↑ Back to the top


Keywords: kbhowto, kbinfo, kbconsumer, kbquadranttechsupp, KB907273, kbAudDeveloper, kbAudITPRO, kb

↑ Back to the top

Article Info
Article ID : 907273
Revision : 4
Created on : 7/18/2018
Published on : 12/19/2018
Exists online : False
Views : 9418