NT Networks, Delegation, Kerberos and Impersonation.
The issue of delegation of permissions over a network is one of the most confusing issues people run into, it seems. I don't think I've been to a project that involves web pages or services in some form that didn't run into it - people simply expect permissions to flow naturally between different network nodes. It's logical. It's intuitive. However, it doesn't work.
I've blogged about this and the Double-Hop problem before, but for neatness' sake and because I found myself explaining it three times today, I'll reiterate here, linking to various resources so I have somewhere to point people when they ask.
1) Larry Osterman explains about network delegation and its limitations.
2) MSDN Article on troubleshooting authentication and double-hop issues.
3) A blog entry of mine on using RevertToSelf() to bypass the double-hop problem.
4) Scott Allen's Roadmap to Delegation has links on how to set up Kerberos delegation.
5) If you have a username and password to authenticate with, you can use LogonUser to acquire a primary logon token that can be delegated, or use DuplicateTokenEx to turn an impersonation token to a Primary token. Here is some C# code, if you prefer.
Hope this helps clarify matters.
And remember - it's not a link blog if I also link to my own entries. :)