HTTP Error 401 - Unauthorized: Access is denied due to invalid credentials

- IIS7
- Win2008
- Terminal Services (remote apps)
- Logged onto an XP computer as Admin, on the same domain that the server is on.

Browsing to -
webpage appears fine

Browsing to 
fails with above error.

PING the '' address and it indeed resolves to
Firewall on server OFF for testing

Any ideas?
Who is Participating?
cj_1969Connect With a Mentor Commented:
The problem is the domain reference ... I can tell from the problem that this does not match your AD domain name, which is why basic authentication is working.

The problem ... the external domain name you are using is being considered an Internet domain and as such the browser will not pass the logged in credentials in an encrypted form, it will only do this for Intranet sites.

The security implication is that you are now passing the login ID and password in clear text across the Internet ... anyone getting on a LAN segment that your packets are traversing could sniff the packets as you are logging in and get the credentials.

To resolve this there are two things you can do:
1. (The preferred method) Add the domain to the intranet zones for all machines on your network.
2. Connect via SSL.  This will provide encryption for the data stream so that the packets will be encrypted even though the data flowing through the stream is not.
Are you connecting from the machine that has IIS on it or from another machine?
The error makes me think that the server is using local credentials (and allowing it) when accessing it by IP and that when using the FQDN that it is defaulting to trying to authenticate against the domain ... and your local credentials are not working, causing the error.

See if accessing the machine with just the  name of them achine (not using the domain) works.
PeteAuthor Commented:
I am connecting from a machine on the network (not the server that has iis).
on the iis server http://servername/ts works, but gives the 401 error.
Another note - my 2 machines (work and from home) that I have been using for testing since the start of the project are working fine using the address. I have installed 3 x CAL (per device) would that have made any difference? My TS Licensing config is shown as 'no errors' but once connected from a client the licenses on the server never show as actually being used, but 3 x TEMPORARY PER DEVICE CAL show as being used. Maybe it should be per user CAL? maybe not related at all?
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

I just realized that ts=terminal services.
My guess is that this is a ts configuration issue.

Ok, theory here ... but from reading this page ...  ... my guess is that the application has created bindings in its configuration file to the machine name.  You will need to find out where that configuration is (check control panels and see if there is a config option for the app there) and add the FQDN as something that the application is to respond to.
PeteAuthor Commented:
it is now working from everywhere after enabling 'basic authentication' on the TS virtual dir. what are the security implications of doing this?
PeteAuthor Commented:
I understand the rpoblem now, and adding the site seems a simple fix - however:
still gives the 401 error after closing and ALT-F5 on IE7 etc
Thanks again
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.