I implemented an integration service using the PSI for lifting data from a customer's system into Project Server.  The service ran like a champ in my development environment but upon deploying it at the customer site, I was flummoxed for a while by 401 Unauthorized errors when attempting to make PSI calls.

I checked IE settings.  I checked to ensure the account I was running under had the appropriate OS permissions via the IIS Auth Diag Tool.  I checked PWA permissions.  I could successfully browse the web service ASMX pages.  

The IIS log contained entries like the following:

 <SNIP> /PWA/_vti_bin/psi/Project.asmx - 80 - 192.168.101.33 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.3053) 401 1 0
<SNIP> /PWA/_vti_bin/psi/Project.asmx - 80 - 192.168.101.33 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.3053) 401 1 2148074252

I reached back to guys on the team and we ran through the checklist of other things that could be causing the problem.  I installed ProjTool.  Same result.  I tried impersonating another user.  Same result.

By this time I was 8 hours into trouble shooting when I finally decided to try applying a workaround I discovered in a KB that resembled the problem I was seeing, although the KB made no mention of the PSI and applying it could potentially expose a security risk.  I determined the configuration is such that the security risk was mitigated appropriately.

It worked.

Here is the KB.

If you get seriously hung up on 401 errors while making PSI calls, try the workaround recommended in the KB.    Explain the workaround and get clearance from the customer because of the security concerns.