I just figured this out. You have to modify the remoting-connector here:
<connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
... and remove the security-realm, like so:
<connector name="remoting-connector" socket-binding="remoting" />
What else are you going to be deploying to the server / accessing remotely? Removing that attribute disables authentication for all services acessible over that connector.
We are not accessing anything else remotely. I realize that this leaves somewhat of a hole, but like I said we have no other choice because of the way this third-party system is implemented. It would be nice if JBoss had some way to disable remote JNDI security without disabling *all* remoting security. If anyone knows a way around this, please let me know.