HTTP 401.x-Unauthorized

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Authentication is one of the first operations performed when an HTTP request is issued. Authentication is the process whereby IIS creates a user context for an HTTP request, typically by obtaining credentials from the HTTP client using a preconfigured authentication method, and then calling a Windows logon API using those credentials. The API then returns a security token for the request, which represents the user context.

After the authentication process concludes, IIS determines where the HTTP request goes next based on the resource that is being requested. Regardless of this choice, IIS issues an authorization check against the requested resource. IIS checks to ensure that the user context associated with this request is allowed to make the request. Usually, IIS performs a file ACL check to authenticate the request.

When IIS cannot authenticate a request, it returns a 401.x-Unauthorized code. The substatus codes provide detailed information about why the request failed, as shown in Table 11.1 LogEventOnRecycle Configuration. The descriptions for most substatus codes are self-explanatory. When additional information about a substatus code is required, it is provided in one of the following sections.

Table 11.6 HTTP 401-Substatus Codes

401 Substatus Code Condition


Access is denied due to invalid credentials.


Access is denied due to server configuration favoring an alternate authentication method.


Access is denied due to an ACL set on the requested resource.


Authorization failed by a filter installed on the Web server.


Authorization failed by an ISAPI/CGI application.


Access denied by URL authorization policy on the Web server.