In general, the HTTP 401 "Unauthorized" error indicates an authentication error, and not - as the name suggests - an authorization error. In ICF this indicates that the configured logon procedures (SICF tab "Logon Data") have failed, and we have a logon error situation. The browser may also issue a Basic Authentication popup where the logon data can be entered.
Note: A Basic Authentication popup is issued if for the affected ICF service the radiobutton "Explicit Response Time" is set on the tab "Error Pages" / "Logon Errors" in SICF. If the option "System Logon" is set, then a logon page will be issued instead of the popup, but this will come with the HTTP status 200.
The HTTP 401 error may also occur, if the fixed logon details on the SICF tab "Logon Data" are invalid. This needs to be checked also for the parent nodes, and for external aliases. Note that SICF settings are client independent, and the maintained user may or may not exist in other clients.
Also note that the HTTP 401 error may come from a different ICF service than what was called originally. For example, if we log on to the application /abc and this calls the application /xyz in the background, then the logon credentials may not be valid for the application /xyz - this will result in HTTP 401. To clarify where the HTTP 401 error is coming from, and HTTPWatch trace is needed.