If you ever find yourself with an IIS web site that suddenly stops accepting NTLM, make sure Keep Alive is on (web -> Properties -> Web Site -> Enable HTTP Keep-Alives). As it turns out, NTLM requires keep alive.
In retrospect it’s perfectly clear why keep alive is required, but it sure isn’t an obvious troubleshooting step. Also, if you have keep-alive turned off and then enable Integrated Windows Authentication, keep-alive won’t automatically turn itself on.
The result is that you are (depending on your browser) continually prompted for credentials or immediately redirected to a “HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials” error.
If keep alive doesn’t solve your problem, Google will tell you about this and this and this. I recommend you skip all that and get Authentication and Access Control Diagnostics 1.0 (x86), which is how I eventually figured out what was wrong (there’s an x64 version too).
As it turns out, there are a bazillion other reasons why IIS might respond with a 401 error.