Have a look in /home/hts/.hts/tvheadend/accesscontrol. You'll find a file there, one per corresponding entry in the Configuration -> Access Control tab of the web interface (you know, the one that you can't access...).
Here's a sample of one of my rules:
hts@Server:~/.hts/tvheadend/accesscontrol$ ls -la
total 16
drwx------ 2 hts video 4096 Mar 28 18:33 .
drwxr-xr-x 14 hts hts 4096 May 5 10:13 ..
-rwx------ 1 hts video 195 Mar 28 18:33 1
-rwx------ 1 hts video 192 Mar 28 18:33 2
hts@Server:~/.hts/tvheadend/accesscontrol$ more 2
{
"enabled": 1,
"username": "blob",
"password": "blob",
"comment": "Example entry",
"prefix": "0.0.0.0/0",
"streaming": 1,
"dvr": 1,
"dvrallcfg": 1,
"webui": 1,
"admin": 1,
"id": "2"
}
This allows blob ("username": "blob", "password": "blob"), to log in ("webui": 1) from anywhere (0.0.0.0/0 - safe on my LAN because it's isolated from the real world). It also grants the same user streaming, dvr and other access while you're there.
I'm not 100% clear on the relationship, but there's also the superuser file which contains the details of the user you create during the dpkg configure. On my system, it matches, i.e.
hts@Server:~/.hts/tvheadend$ ls -la super*
-rw------- 1 hts hts 43 Apr 19 19:12 superuser
hts@Server:~/.hts/tvheadend$ more superuser
{
"username": "blob",
"password": "blob"
}
You can force the creation of the latter with a dpkg --configure, I think.
PS Have you tried accessing the file from the local system, rather than remotely? It would nail the problem down to network accessibility versus access control.