I've tried to update the related postings to this, but sometimes you need a call out to make sure it catches your attention so...here's another troubleshooting tip for when you get a 401 unauthorized error when your app tries to access SharePoint content. Suppose you have gotten everything working and then create a provider hosted app hosted in IIS instead of IIS Express (see here for more details on this process: http://blogs.technet.com/b/speschka/archive/2013/06/12/converting-a-vs-net-web-for-a-provider-hosted-sharepoint-app-to-a-full-blown-web-or-console-application.aspx). Despite that, when the code runs in your app you get access denied again. Here's the tip - set a breakpoint in TokenHelper.cs in the GetClaimsWithWindowsIdentity method, and then look at the identity.User.Value. If you see a very short SID value, like S-1-5-17, then that probably means it's the anonymous account for IIS. The SID for a "real" user is much longer, something like S-1-5-21-1644491937-1935655697-1957994488-2138. Remember that the way OAuth works (in the most common case with SharePoint Apps) is that it checks to make sure BOTH the app AND the user have rights to the content. In most cases the anonymous user account will not have rights, and so you will get an access denied error message. To fix this you need to go into IIS and find your provider hosted app, then disable Anonymous access and enable Windows authentication. I recommend restarting the IIS virtual server for your hosted app, then try again.