561 Unauthorized

The HTTP 561 status code is an unofficial server error used by the AWS Elastic Load Balancer (561 Unauthorized), Pantheon (561 No Site Detected), and Akamai Enterprise Application Access (561 Invalid NTLM Challenge). AWS returns this code for Authentication failures, Pantheon uses the code to indicate a site configuration problem, and Akamai EAA surfaces the code for NTLM Authentication errors.

Table of Contents

Usage specific to the AWS Elastic Load Balancer

The 561 Unauthorized status code indicates a listener rule on the Application Load Balancer is configured to authenticate users through an identity provider (IdP), but the IdP returned an error during the Authentication process. The failure happens at the load balancer level before the request reaches the backend target.

Common causes include:

  • The IdP is unavailable or returning errors.
  • The authentication callback URL is misconfigured.
  • The client's authentication token or session has expired.

Usage specific to Akamai EAA

Akamai Enterprise Application Access (EAA) returns 561 Invalid NTLM Challenge when the EAA connector receives an invalid NTLM challenge from the backend server during Authentication. This occurs when the backend application is configured for NTLM Authentication and the challenge- response handshake between the connector and the server fails. Reviewing the native Active Directory setup and confirming the NTLM configuration matches the application requirements resolves the error.

Usage specific to Pantheon

The 561 No Site Detected status code indicates a site has been provisioned on the Pantheon platform but no content management system (CMS) has been installed. This code also appears in place of 403 Forbidden when no index file is present in the site's root directory.

SEO impact

Search engines treat 561 the same as other 5xx server errors. Persistent failures reduce crawl rate and eventually remove affected URLs from the index.

Example

AWS ELB authentication failure

A client sends a request to an application behind an AWS Application Load Balancer. The ALB attempts to authenticate the request through the configured IdP, but authentication fails.

Request

GET /internal/dashboard HTTP/1.1
Host: www.example.re
Accept: text/html
Cookie: AWSELBAuthSessionCookie-0=expired-token

Response

HTTP/1.1 561 Unauthorized
Date: Sun, 02 Mar 2026 11:10:00 GMT
Content-Type: text/html
Server: awselb/2.0

<html>
<head><title>561 Unauthorized</title></head>
<body>
<h1>561 Unauthorized</h1>
<p>Authentication with the identity provider failed</p>
</body>
</html>

Pantheon no site detected

A client requests a newly provisioned Pantheon site with no CMS installed.

Request

GET / HTTP/1.1
Host: www.example.re
Accept: text/html

Response

HTTP/1.1 561 No Site Detected
Date: Sun, 02 Mar 2026 11:11:00 GMT
Content-Type: text/html

<html>
<head><title>No Site Detected</title></head>
<body>
<h1>561 No Site Detected</h1>
<p>No CMS has been installed on this site</p>
</body>
</html>

How to fix

AWS ELB: The 561 error originates at the Application Load Balancer's authenticate action, before the request reaches the backend target.

Verify the following settings match between the ALB listener rule and the identity provider:

  • Issuer URL, authorization endpoint, and token endpoint must be identical on both the ALB authenticate action and the IdP configuration.
  • Client ID and client secret in the ALB rule must match the values registered in the IdP. If the secret was rotated at the IdP, update the ALB listener rule to use the new secret.
  • Callback URL must be set to https://<alb-domain>/oauth2/idpresponse. A mismatch between the IdP's allowed callback and the ALB's redirect URI causes a silent auth failure.

Confirm the ALB reaches the IdP token and user info endpoints over the network. ALBs communicate with IdPs using IPv4 only. If the IdP resolves to an IPv6-only address, the handshake fails.

Review the ALB access logs (field actions_executed) for the specific failure stage: authenticate, fixed-response, or redirect. Enable detailed Authentication logging in CloudWatch to capture the IdP's error response.

If the error occurs intermittently, check for expired AWSELBAuthSessionCookie values. Clearing the client's Cookies and re-authenticating through the IdP flow resolves stale session issues.

Pantheon: Install a CMS (WordPress or Drupal) through the Pantheon dashboard's Site Admin interface. The 561 appears when the site is provisioned but no application code exists. Confirm index.php is present in the repository root (or under the web/ directory for Integrated Composer sites using web_docroot=true).

Takeaway

The 561 status code is an unofficial error with platform-specific meanings. AWS Elastic Load Balancer returns 561 Unauthorized when IdP authentication fails, Akamai EAA returns 561 Invalid NTLM Challenge for NTLM handshake failures, and Pantheon returns 561 No Site Detected when a site lacks a CMS installation.

See also

Last updated: March 11, 2026