Hi Don,
Thanks for the suggestion, I actually was already using UDCX and using Secure Store Service credentials in the Authentication node.
After a lot of troubleshooting I was finally able to get this to work. I don't know why this was so difficult to get working in 2013. The Claims based sites in 2010 worked with no problem and exactly as I expected them to; by configuring the Secure Store Service with a Target Application that has credentials to the site I'm pulling data from.
I found 2 workarounds that allowed the data connections to refresh without error:
1. Disable Anonymous Authentication and remove Authentication from the udcx connection file.
- Modify the web.config for your web application. Change the AllowAnonymousImpersonation key from true to false.
<appSettings><add key="aspnet:AllowAnonymousImpersonation" value="false" /></appSettings>- Make sure that the udcx data connection has the <udc:Authentication> node commented out.
When you make this change the IIS logs show that the Query requests are executed under the web application service account and everything works.
2. Instead of changing the AllowAnonymousImpersonation setting, set the Credentials for the Secure Store Service Target Application to the same account used for the Web Application Service.
Make sure the udcx is using this Group/Group Ticket Target Application in the <udc:Authentication> node.
This allowed the query to work, checking the IIS logs shows that all queries to owssvr are sent under the Service Account for the web application instead of the account I had configured for accessing the data. No idea why I can't use other accounts to query the data in InfoPath. I tried this on 3 different 2013 environments, 2 on my corporate domain and one on a isolated 2013 environment and I had the same issue on all.
The following links helped me in resolving the issue:
http://www.cleverworkarounds.com/2013/10/
http://surviving-sharepoint.blogspot.ca/2013/10/sharepoint-2013-access-denied-using-web.html