The reason is that Application Pools in IIS 7 have "Managed Pipeline Mode" defaulted as "Integrated", under which impersonation doesn't work. Changing from "Integrated" to "Classic" is the fix. If you check all application pools for sharepoint application, they are all set as "Classic".
Since IIS 7 use Kernel Mode for authentication, and if you are using server BIOS name as URL, you get Kerberos authentication for free (see this blog for details). Does this mean, with impersonation in place, you can forward logon user's credential to next hop? for example, setting credential before calling web service such as:
svc.Credentials = System.Net.CredentialCache.DefaultCredentials;
You still need delegation right for your service account (or machine account?) to make that hop happen. Otherwise you simply forward a empty credential to the web service, and if the web service is not anonymous, the call will fail.
In case of NTLM authentication, logon users' credential can not be forwarded by any means.
