IIS returns 401 for newly uploaded files but existing files work (Azure VM WordPress)

Hi @Akesh Mohanan Webotix , Thanks for sharing your details.

To assist you better, could you check two things for me?

First, head over to C:\inetpub\logs\LogFiles\W3SVC1\ and open the most recent log file. Find one of the failed requests and look for a field called sc-substatus, it should show something like 401.1, 401.2, or 401.3.

Second, right-click the uploads folder, go to Properties → Security → Advanced, and check if there's an "Enable inheritance" button visible. If there is, that means inheritance is currently off, go ahead and enable it, then test uploading a new file to see if that changes anything.

If inheritance was already on, please let me know.

@ jahangirbokhs72

Your 365 subscription issue isn't related to the subject of this thread, IIS returns 401 for newly uploaded files but existing files work (Azure VM WordPress) Please re-ask your question using the tags
Microsoft 365 and Office
Subscription, account, billing
Home (if correct)
Windows (if correct)

Don

Hello Akesh Mohanan Webotix,

If existing images load successfully but newly uploaded images return 401 Unauthorized in IIS, this typically indicates a file system permission or attribute issue, not a problem with the image type or IIS static content itself.

Please review the following items:

1. Check the 401 substatus code

Review the IIS access logs under C:\inetpub\logs\LogFiles and identify the sc-substatus value.

• 401.3 specifically indicates an NTFS permission (ACL) issue, where IIS authenticated the request but does not have permission to read the file.
• The substatus code is required to accurately determine the cause of 401 errors in IIS.

2. Compare NTFS permissions on old vs. new files

Compare the ACLs of:

• One existing image that loads correctly, and
• One newly uploaded image that fails

Steps:

• Right‑click the file -> Properties -> Security -> Advanced
• Confirm that the account used by IIS (for example, IUSR, IIS_IUSRS, or IIS AppPool<AppPoolName>) has Read permission.
• If permissions differ, check the parent uploads folder and ensure:
  • “Include inheritable permissions from this object’s parent” is enabled
    • Permissions are reapplied to child files

This is a common scenario when files are created by PHP, FTP, or another process that does not inherit folder permissions correctly.

3. Check for the Hidden file attribute

IIS does not serve hidden static files by design. Hidden static files may return 404 or Access Denied errors.

To verify:

attrib "C:\path\to\image.png"

To remove the hidden attribute:

attrib -h "C:\path\to\image.png"

4. Enable Failed Request Tracing (FREB) for 401 errors

Failed Request Tracing provides detailed module‑level diagnostics.

Steps:

• IIS Manager -> Site -> Failed Request Tracing
• Add a rule for Status codes: 401.*
• Reproduce the issue and review the FREB XML log

The trace will show which IIS module is returning the 401 response and why.

5. Review Authentication configuration

Ensure:

• Anonymous Authentication is enabled for the site and uploads directory
• No conflicting authentication methods (Windows Authentication, WebDAV) are enabled
• The identity configured for Anonymous Authentication matches the account granted NTFS permissions

References

• Troubleshoot 401.x HTTP errors in IIS: https://learn.microsoft.com/troubleshoot/developer/webapps/iis/site-behavior-performance/troubleshoot-http-error-code
• Hidden static files return HTTP 404 or Access Denied: https://learn.microsoft.com/troubleshoot/developer/webapps/iis/site-behavior-performance/hidden-static-files-http-404-access-denied
• Troubleshoot failed requests using tracing in IIS: https://learn.microsoft.com/troubleshoot/developer/webapps/iis/health-diagnostic-performance/troubleshoot-failed-requests-using-tracing-in-iis-85