"HTTP Error 401.1" error message when Msiexec.exe updates an MSI file in Windows Vista, in Windows 7, in Windows Server 2008, or in Windows Server 2008 R2

Applies to: Windows Vista BusinessWindows Vista Business 64-bit EditionWindows Vista Enterprise More

Symptoms


Assume that you deploy an application to a client computer that is running one of the following operating systems by using System Center Configuration Manager 2012:
  • Windows Vista
  • Windows 7
  • Windows Server 2008
  • Windows Server 2008 R2
When the deployment of the application is finished, the Microsoft Installer Package (MSI) file is removed from the local drive. Then, the ConfigMgr client updates the MSI source list by accessing the content server. This behavior is controlled by the self-healing functionality. When the self-healing functionality is triggered, Msiexec.exe tries to access the content path anonymously instead of by using the credentials of the user who currently logs on the client computer. However, the Secure Windows Initiative (SWI) guidelines do not allow anonymous access to content servers. Therefore, you receive the following error message:
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
Note The issue occurs only when the content server is indicated by using a URL.

More Information


Update information

This update adds an automatic logon level that determines when it is acceptable for WinHTTP to include the default credentials in a request. The update adds the following logon level:
  • WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW
  • WINHTTP_AUTOLOGON_SECURITY_LEVEL_MEDIUM
  • WINHTTP_AUTOLOGON_SECURITY_LEVEL_HIGH
By default, the level is set to WINHTTP_AUTOLOGON_SECURITY_LEVEL_MEDIUM. This is the recommended logon level. For more information about optional security levels, visit the following Microsoft website:To set the automatic logon security level, set the following registry entry under the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer registry subkey:
Name
WinHttpAutoLogonLevel
Type
String
Value
Available values are listed in the following table:
Value Meaning
L WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW
M WINHTTP_AUTOLOGON_SECURITY_LEVEL_MEDIUM
H WINHTTP_AUTOLOGON_SECURITY_LEVEL_HIGH

After you install this update and configure the logon level, Msiexec.exe uses the WinHttpSetCredentials function to pass the required authorization credentials to the content server if the first anonymous access request fails.

Automatic Logon Policy

The automatic logon (auto-logon) policy determines when it's acceptable for WinHTTP to include the default credentials in a request. The default credentials are either the current thread token or the session token, which depends on whether WinHTTP is used in synchronous or asynchronous mode. The thread token is used in synchronous mode, and the session token is used in asynchronous mode. These default credentials are often the username and password used to log on to Microsoft Windows.

The auto-logon policy was implemented to prevent these credentials from being casually used to authenticate against an untrusted server. By default, we set the security level to WINHTTP_AUTOLOGON_SECURITY_LEVEL_MEDIUM. This enables the default credentials to be used only for intranet requests. The auto-logon policy only applies to the NTLM and Negotiate authentication schemes. Credentials are never automatically transmitted with other schemes.

The auto-logon policy can be set by using the WinHttpSetOption function with the WINHTTP_OPTION_AUTOLOGON_POLICY flag. This flag applies only to the request handle. When the policy is set to WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW, default credentials can be sent to all servers. When the policy is set to WINHTTP_AUTOLOGON_SECURITY_LEVEL_HIGH, default credentials cannot be used for authentication. We strongly recommend that you use the auto-logon at the MEDIUM level.

Assume that the content server or the source is indicated by using a fully qualified domain name (FQDN) URL in System Center Configuration Manager 2012. When you use WINHTTP_AUTOLOGON_SECURITY_LEVEL_MEDIUM, it will still cause an error because WinHTTP sends user credentials only in response to requests that occur on a local intranet site. However, WinHTTP does not check the security zone settings in Internet Explorer to determine whether a website is in a zone that enables credentials to be sent automatically.

If no proxy is configured, WinHTTP sends credentials only to local intranet sites.

Note If the URL contains no period in the server name, such as in the following example, the server is assumed to be on a local intranet site:

http://sourceserver/msipath

If the URL contains periods, the server is assumed to be on the Internet. The periods indicate that you use an FQDN address. Therefore, no credentials are automatically sent to this server unless a proxy is configured and unless this server is indicated for proxy bypass.

However, if a proxy cannot be configured and you cannot use an intranet site name (as described earlier), then in that case you can use WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW. In order to make sure that the default credentials are not sent to an untrusted server, you can use https and secure the site with proper SSL certificates. With HTTPS and WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW being used, instead of default credentials being sent to all servers which make this option less secure, we will now send default credentials only to servers where server authentication is successful. See setting up HTTPS for SCCM.

How to obtain this update

The following files are available for download from the Microsoft Download Center:
Operating system Update
All supported x86-based versions of Windows Vista Download Download the update package now.
All supported x64-based versions of Windows Vista Download Download the update package now.
All supported x86-based versions of Windows Server 2008 Download Download the update package now.
All supported x64-based versions of Windows Server 2008 Download Download the update package now.
All supported IA-64-based versions of Windows Server 2008 Download Download the update package now.
All supported x86-based versions of Windows 7 Download Download the update package now.
All supported x64-based versions of Windows 7 Download Download the update package now.
All supported x64-based versions of Windows Server 2008 R2 Download Download the update package now.
All supported IA-64-based versions of Windows Server 2008 R2 Download Download the update package now.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

To apply this update, you must be running one of the following operating systems:
  • Windows Vista Service Pack 2 (SP2)
  • Windows Server 2008 Service Pack 2 (SP2)
  • Windows 7
  • Windows 7 Service Pack 1 (SP1)
  • Windows Server 2008 R2
  • Windows Server 2008 R2 Service Pack 1 (SP1)
For more information about how to obtain a Windows Vista service pack, click the following article number to view the article in the Microsoft Knowledge Base:
 
935791 How to obtain the latest Windows Vista service pack
 
For more information about how to obtain a Windows Server 2008 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
 
968849 How to obtain the latest service pack for Windows Server 2008
 
For more information about how to obtain a Windows 7 or a Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
 
976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2
 

Registry information

To use the update in this package, you do not have to make any changes to the registry.

Restart requirement

You must restart the computer after you apply this update.

Update replacement information

This update does not replace a previously released update.