Clients trying to connect to Site Servers with Task Server may receive a 401, 401.5, or other similar authentication errors in the Agent logs.
This can affect the NS (Notification Server), or any other Task Server.
Task Server 8.x
This is working as designed but there are improvements coming in later versions.
In short, Task Server in version 6.x and 7.x used Anonymous access in its configuration.
For ITMS 8.x though, it was determined this was a security risk, and that the default setting was changed.
This change can pose some issues if the client doesn't successfully log in to the Task Server.
There are two options to correct this issue:
There is an over-ride setting that can be used for Client-Server communications.
In the console, browse to Settings | Agents/Plug-ins | Global Settings. On the right, select the Authentication tab. Here, you can enter alternate credentials for your agents to use, or the Agent Connectivity Credential or ACC.
This affects Agent -> Server communication, Agent -> Package Server communication, and Agent -> Task Server communication.
For your clients to get the new policy, they'll have to actually check-in, which will take several hours, at least 4 by default. So, you'll probably want to wait a day before you do a full check for functionality.
Enable Anonymous Access:
If you need the clients to connect immediately, you can enable Anonymous Access on the Task Servers until the policies are all received by the agents.
This is done in IIS under Default Web Site\Altiris\ClientTaskServer.
Right-click, choose properties, and then make the change on the Directory Security tab under Authentication and access control.
Click Edit, then simply mark the option to Enable anonymous access.