Fix:“401 – Unauthorized: Access is denied due to invalid credentials“ on ASP.NET MVC & IIS 7


There are a lot of different reasons for this error message for example the IIS process has no access for the files or the password of the account where the application runs is wrong. All in all: it is a not very clear defined error message. Martin has already written about a very interesting problem a short time ago (he found the Workaround here). The symptoms of the error have been this:

- Error message “401 – Unauthorized: Access is denied due to invalid credentials” from a remote machine

- Nothing special in the IIS Logs

- The site was shown correctly by the Remote Desktop localhost

imageWhat was wrong: If you turn the IIS Manager (IIS Manager -> Error Pages -> Edit Feature Settings) on Detailed Error the side works from outside as well without any kind of error messages. Mh?!

Beside the website was an ASP.NET MVC side but probably the problem would be the same with a regular ASP.NET. The page we want to see was the login page but that doesn’t work.

What about the detailed error settings?

You can change the settings at IIS Manager -> Error Pages and Edit Feature Settings (on the right side). The following is set as Default:


These settings effect that the detail-information’s of an error will be shown to the user if he comes through the localhost. Everyone else will see an unspecific site. At this page you can read more about the process. Most important part:


Now we are going to talk about the symptom: the site was shown correctly by the Remote Desktop localhost

What I recognized much later was that the site was shown correctly on the server but it was redeemed with Http Status 401. The “Response Body” consists of the Login site and because of this I didn’t recognized it before.

Like you can see on the process above: If the errorMode is set on “detailed” the Response Body will be rendered as error message. In my case the response body was the login page.

Why was the Status Code 401?

The main problem was: a “RenderAction()” on the Layout/Masterpage which leaned on an action where authentication was necessary. That’s what provoked the 401 error and for result it puts the login page into the body. Beside I do not know why this didn’t end up in a circle because the login site also uses the Layout.

The solution:

If you receive this kind of error message you have to check up if there is an RenderAction producing an error if there’s something wrong on your login page.

Other advice: Take a look on the Statuscodes of the site with Firebug or anything else.

This advice was from an answer on Stackoverflow asked by a guy with the same problem.

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

About the author

Written by

Learn more about our team.

One Response

  1. Thank you! This post saved my day.


Comment on this post

Recent Posts

  • image1929-570x143_thumb.png
    Create and validate own Json-Web-Tokens (JWTs)

    If you are interested in web authentication you probably have heard about JSON Web tokens (JWT). What is a JWT? Maybe I’m not using the correct security termination but however: JWTs are used to exchange claims between two systems. For example: You want to log on to a service (like Facebook, Twitter, etc.) and want […]

  • Micro-Optimization: how to shrink or „embed“ pictures

      I’m currently working on the “CodeInside Dashboard” and since the page structure isn’t that difficult it should be possible to fulfill all of Google Pagespeed or Yahoos YSlow recommendations. One of the rules was to optimize the 4 PNGs that are embedded on the page.   Before – without optimization: Below you can see […]

  • image1979-570x194.png
    Move to Windows Azure – VMs, Word Press Migration, DNS changes

    Since mid January this blogs runs on a WordPress installation in an Azure VM. Because I always thought that the subject is quite complicated this blogpost offers a view behind the scenes. Why this move? So far this blog (both German and English Version) runs on a hoster somewhere in Germany. The main problem with this […]

  • Windows Azure Active Directory – CRUD for users and groups

      Windows Azure Active Directory? If you are not informed about the subject I recommend you to have a look on this Azure Info site. Which resources are there? The Azure AD contains the following entities: - Users - Groups - Contacts - Roles Access to the directory or on the “directory graph” Although the […]

  • Introduction into SignalR 2.0 & Azure Website Websockets

      SignalR is an Open Source Framework for Real Time WebApps. The main problem with Real-Time in the web is the canal between Browser and Server. If you never had to deal with SignalR and this problem before here is a brief introduction:   The problem Traditionally the browser initiates the request to the server […]

Support us