I came across an issue where I was trying to use CSOM to read a list item. Just read. Nothing more. Then BAHM! The (401) Permissions Denied error shows up. Specifically on the request-response step of the CSOM call.
using System.Net;
using Microsoft.SharePoint.Client;
using (ClientContext context = new ClientContext("http://yourserver/")) {
context.Credentials = new NetworkCredential("user", "password", "domain");
List list = context.Web.Lists.GetByTitle("Some List");
context.ExecuteQuery();
// Now update the list.
}What I learned what that while I was developing and deploying the CSOM functionality, I was testing on the server that I had “God Mode” enabled. Meaning I had the AppPool permission level, which is the same level you’d need to reach across Apps. Testing on a machine where I was a humble user brought the error messages out about permissions.
Therefore, I bundled my CSOM call with the NetworkCredentials call resolved the issue. Granted, this is a bad idea when you’re trying to access sensitive material, as the username and password is basically hard-coded and just doesn’t give me the warm and fuzzies.
If your system is set up as the NTLM security model, then you may find that CSOM may be difficult across WebApps. Basically, NTLM authenticates each time it moves environments while Kerberos passes through each environment. I’ve linked the TechNet article more about Kerberos vs. NTLM.