With IIS Windows Authentication, impersonation is not enough network resources so you also need delegation:
Impersonation only allows you to access resources local to the web server as the browser user. If you want that user's identity to travel across the then you need delegation.
The reason it works when you provide user name and password is that when Windows has the password, it can access network resources.
However when there is no password, IIS creates a user token which can only access local resources.
IIS only creates a delegation user token when you use Basic Authentication because then it knows your password (passed in clear text).
So possibly you will see that you can access the path when you enable Basic Authentication. However this is not desirable because IIS would ask your credentials
every time you access the site (no automatic logon I guess). So we should focus on enabling delegation for Windows Authentication (your current setting)
To enable delegation in IIS, you need to enable Negotiate:Kerberos provider:
Under "Windows Authentication" right click and select "Providers". Add "Negotiate:Kerberos" and move it to the top
Note that configuring delegation seems to be a pain. So there are some other steps that may be required.
However we should first start by doing the above.
The other steps include
- Configuring the user's account to allow delegation in AD
- Setting up SPNs for users