I have a web service
[authorization]
[allow users="domain\myaccount, domain\yyy"/]
[deny users="*"/]
[/authorization]
[authentication mode="Windows" /]
And I have a web client which calls this web sercice
[identity impersonate="true" /]
[authentication mode="Windows" /]
I use my own domain account (which listed above, domain\myaccount, to test the client, but I still got 401 error, any idea?
Use Fiddler or another HTTP debugger (e.g. Firebug in FireFox) to look at the full header. It will send back the kind of authentication it can handle -- perhaps you aren't sending the credentials in a way that is acceptable to the service.
don't you mean deny '?' not deny *
I was always taught that a deny is stronger than an allow so deny * would deny all even those that were given permission.
I would say you are deny all even those you have given permission to.