When calling a secured web service it is important to code the application to explicitly pass the credentials to the web service. When calling a web service, the default communication is security context-less. In other words, the application assumes that the web service virtual directory is set up for anonymous authentication. In the instances where this is not true (i.e., a SOA architecture where the web services are in the DMZ and need to be secured so only the calling app can talk) you have to code for the security call as follows:
MyWebService ws = new MyWebService();
ws.Preauthenticate = true;
ws.Credentials = System.Net.CredentialCache.DefaultCredentials;
This will pull the credentials that the application is executing under (i.e., impersonated or the application pool’s account) and pass them to the web service.
Thanks to my colleague for reminding me of this!
See the following link for more information: