I have a three server SharePoint 2007 MOSS environment where my IIS logs continue to get pounded with 401.1 and 401.2. These logs are filling up so much that they consume my HDD. I can tell from the IP that these errors are from POST requests from one of my front end web server. Here is the sequence of logs that repeat forever. (The xxx IP's are all the same)

2011-02-10 23:25:42 W3SVC951338967 xxx.xx.xxx.xx POST /SharedServices1/Search/SearchAdmin.asmx - 56738 MyDomain\SQLSAServiceAccount xxx.xx.xxx.xx Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.42) 200 0 0
2011-02-10 23:25:42 W3SVC951338967 xxx.xx.xxx.xx POST /SharedServices1/Search/SearchAdmin.asmx - 56738 - xxx.xx.xxx.xx Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.42) 401 2 2148074254
2011-02-10 23:25:42 W3SVC951338967 xxx.xx.xxx.xx POST /SharedServices1/Search/SearchAdmin.asmx - 56738 - xxx.xx.xxx.xx Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.42) 401 1 0

I really need some help trying to understand the source of this.

Thanks for your thoughts and ideas.

401.1 and 401.2 are classic errors with SP.

First, if you set up SP to use NTLM, either move to kerberos (which requires operation on the domain) or force the NTLM as the only authentication provider :

c:\inetpub\adminscripts\adsutils.vbs set w3svc\root\xxxxx\NTAuthenticationProvider NTLM

the process is described here.

If you are on IIS 7, you have to use appcmd command as described here

Then, in some case, a loopback check is done. This occurs when a webrequest is done from and to the same box with a custom host header. This can be either disabled, or white listed in the registry using the procedure described here. Please make the effort to white list your hostname instead of disabling the check as it can open a security breach in your SI.

[Edit] According the James comment, added the advice to whitelist the hostname instead of disabling the security check

These are not really errors. Your front end webserver (client) is connecting to the server, the server is responding with a 401 - to indicate that the client needs to authenticate.

The client then retrys with authentication tokens if available...