I'm trying to configure a web service that queries a SharePoint list. The web service should allow anonymous access from clients. What I'm observing is puzzling me, however. Following is a high level overview of my environment:
web service client -> web service -> SharePoint
What I'm finding is that the user running the web service client requires access to SharePoint. In other words, the user credentials are being passed from the client, through the web service layer, all the way into SharePoint. What I would prefer is that only the web service application pool identity account be granted permission. After disabling Integrated Security, while enabling only Anonymous Access in the web service IIS configuration settings, a 401 (authentication denied) exception is thrown.
I have verified that the application pool identity account has permission to the SharePoint site. I have also verified that the authentication mode is configured as "windows" in the web.config file. I'm not using impersonation, anywhere.
Please note that this is a custom web service (not using the built in SharePoint web services), hosted in IIS 6.0 on Windows Server 2003.
EDIT: I have additional web methods exposed on the web service that do not connect to SharePoint. I have no problem calling those web methods. Additionally, I have verified that the client user is being passed through to SharePoint because I had to grant the user (the person running client) access to SharePoint.
I believe you would want to set the authentication mode in your web service web.config to "none". This should allow anonymous client requests, then IIS would connect to your Sharepoint site under the context of the app pool identity.
Update: Have you check the authentication on specific file in the site? It may be different then the site configuration.
**Before update:**If you have configured only anonymous authentication on the web service site. There is no way that the site is doing impresonation/delegation.
The error you have recieve (401 and 403) are from the web service site. If the problem was on accessing the sharepoint site. The errors won't be from the IIS but from you code.
You should focus your troubleshooting on the 401 and 403. For start, what is the complete errors. Look for them in the iis logs.
The web service call needs to pass credentials to SharePoint here. You can either code some credentials in or use impersonation and grab the windows credentials of the user.