Well, not quite there yet.
Switching to lsws still shows 401 without asking for authorization.
This is on latest 2.2.1 and the .htaccess file in question look simply like this:
AuthName "Restricted Area"
Changing AuthUserFile location to be inside user's public_html doesn't help.
Apache works ok with this .htaccess and there are many .htaccess files
that look similar to this in the servers.