Why do I see [DENIED LOGIN] in artifactory - access.log when performing docker login?

Why do I see [DENIED LOGIN] in artifactory - access.log when performing docker login?
Products
Frog_Artifactory
Content Type
Use_Case
AuthorFullName__c
Yoav Harel
articleNumber
000004500
FirstPublishedDate
2019-07-01T07:06:24Z
lastModifiedDate
2025-08-13
VersionNumber
10
Introduction 

When performing docker command (login/pull/push) against Artifactory while tailing the request log you may see 401 accompanied with access denied in the access log. The log entry <TimeStamp> [DENIED LOGIN] for client : NA / <IP> is an expected and normal part of the Docker V2 authentication process.
This entry does not indicate a failed user login. Instead, it represents the initial, anonymous handshake request sent by the Docker client. According to the Docker registry API specification, the client first "pings" the registry without credentials to determine the authentication method required. 
This initial anonymous request is intentionally denied (401 Unauthorized), which is logged as [DENIED LOGIN] for client : NA. Following this, the client makes a second, successful request using the user's actual credentials to obtain an access token.


Explanation 

We can demonstrate that behavior using cURL to get a better understanding of the Docker login flow. As mentioned, the docker client first sent an “anonymous” request, the request is similar to the one below. (NOTE: “null” is the repository name, as in the login we don't specify the repository name)

curl -v https://<ARTIFACTORY_URL>/v2/
The response of this request is as below, showing the authentication URL and method as a Header.

Www-Authenticate: Bearer realm="https://<ARTIFACTORY_URL>/v2/token",service="<ARTIFACTORY_HOST>"
User-added image 

artifactory-request.log:

2025-08-10T09:10:51.820Z|490276f0d6ca6a2c|172.16.1.6|non_authenticated_user|GET|/api/docker/v2/|401|-1|0|1|curl/8.7.1
Then the Docker client will hit the URL returned in the “Www-Authenticate” Header, and upon successful login, the response will return a token which the Docker client will then use for other requests (pull/push). We can demonstrate it using the command below.

curl -s -u<USER>:<PASSWORD> https://<ARTIFACTORY_URL>/v2/token
User-added image 

artifactory-request.log

2025-08-10T09:18:01.902Z|404e2da8a5a50e9f|172.16.1.6|admin|GET|/api/docker/null/v2/token|200|-1|836|22|curl/8.7.1
Conclusion  

The [DENIED LOGIN] for client : NA entry is not an error, provided it is immediately followed by a successful, authenticated request from the same IP address. This sequence confirms a successful Docker login.
However, if no successful request follows, the login has likely failed. To troubleshoot, start by checking the Docker repository's /v2/ endpoint. Ensure it returns the expected 401 Unauthorized response with a valid Www-Authenticate header, which is essential for the client to complete the authentication flow.