+1  A: 

Does it work if you put 127.0.0.1 instead of localhost?

Sijin
Thanks for the suggestion. The url that gets sent to the resolver is based on the request URL, and I confirmed in the debugger that accessing the site at 127.0.0.1 yields the same result.
harpo
A: 

My ignorance. I didn't know that the $OriginHost$ token was replaced using the originUrl attribute of the trust level — I thought it just came from the url of the app. I had originally left this attribute blank.

<trust level="CustomMedium" originUrl="http://localhost/" />
harpo
A: 

This might not be the solution but when I saw your post I remembered this issue that I ran into about a year ago:

http://support.microsoft.com/default.aspx/kb/896861

You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6

We were creating a WebRequest to screen scrape a page and it worked in our production environment because we were not using a loopback host name but on development machines we ended up with access denied (after applying Windows Server 2003 SP2). The one difference here is that this was under integrated authentication which caused it to fail... it worked when the request was anonymous (so that is why I am not sure this is the answer for you).

Jeff Widmer
Thanks. I found the problem as noted, but I have also run into something like what you're talking about. WebRequest does not get sent with the presiding credentials the way that requests do from the browser; you have to "manually" add them to the request headers, as I'm sure you learned.
harpo