I recently ran into a big problem when I work on my ListAggregation webpart, the webpart need to pull some lists data from remote Wss site into my local Wss site, these two servers are not in the same domain, and all use the NTLM credential. So I desided to use the lists.asmx webservice to finish this task. In my webpart, I used System.Net.CredentialCache.DefaultCredentials to get the webservice credential, but when I deployed my webpart to my site, I got "The request failed with HTTP status 401: Access Denied." error. I really had no idea about this exception, but the error info indicates that it is about the permission problem, then after many times google, I just realised it is the security issue known as "double-hop". The "double-hop" issue will raise "if your webservice exists on another server than your SPS the client sends it credentials to the SPS-server (first hop) which tries to forward the credentials to the webservice server (2nd hop)"(Quoted from http://msmvps.com/obts/archive/2005/01/18/33146.aspx).
But fortunately I found that there are several approachs finally, which can handle the "double-hop" issue:
1. Give a specific credential, to do this, you need to create a NetworkCredential instance, and pass the specific "name","password","domain" as the parameters.
2. Enabling delegation. Take a look at this for more detail.
3. Create a COM+ component to encapsulate required functionality, refer to this article.
4. Basic Authentication (you need to use HTTPS as the security reason)
