I verified username and password I was using and it was correct. The URL Lync Control Panel displayed was also correct. I had also run bootstrapper after verifying published topology. The admin URL was set and was in DNS pointing to EE pool correctly.
After a bit of searching on Bing, I stumbled upon KB896861. While it refers to only Server 2008 and Windows XP in “Applies To” section, it was strikingly similar to the issue I had on my hand. I was able to access Lync Control Panel from another machine in the domain using browser. I was getting 401.1 Unauthorized on the server when launching Lync Control Panel from the server itself. I did not have Event 537 in my security event logs, however, I had multiple occurrences of Event 4625, which essentially was same error: “An error occurred during logon”.
So I was hitting loopback check security feature that is built to prevent reflection attacks on the server! Which explained why I was able to connect to Lync Control Panel when I connected from different machine on the domain. Now that I know the issue, I had two options to fix it as described in the article. Ideally I would have opted for host names method, however, since it’s my isolated lab with no internet connectivity of any kind, I opted for less recommended method to use DisableLoopbackCheck registry key. Keep in mind, regardless of the method you use, you will have to set DisableStrictNameChecking registry to value of 1. It is detailed in KB281308.
Once I disabled loopback check alongwith strict name checking, I rebooted the server and gave Lync Control Panel another try. Now would you be surprised if I told you it worked without any issue this time?