Anonymous authentication not working for WCF service: "..... The authentication header received from the server was ''"

Question

We use IIS 7.5 to host our intranet applications, which are configured to use Windows Authentication.

Within one of the applications, I have a WCF service I'm trying to host/call into. This must have Anonymous authentication, so I can host it with the following setting:

<system.serviceModel>
    <behaviors>
        <serviceBehaviors>
            <behavior name="myServiceBehaviour">
                <serviceMetadata httpGetEnabled="true" />
                <serviceDebug includeExceptionDetailInFaults="true" />
            </behavior>
        </serviceBehaviors>
    </behaviors>
    <bindings>
        <basicHttpBinding>
           <binding name="basicHttpBindingOverSslAnonymous">
            <security mode="Transport">
                <transport clientCredentialType="None"/>
            </security>
        </binding>
        </basicHttpBinding>
    </bindings>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
    <services>
        <service behaviorConfiguration="myServiceBehaviour"
                   name="xxx.yyy.Web.Mvc.Client.Services.MyService">
            <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBindingOverSslAnonymous" name="BasicHttpEndpoint" contract="xxx.yyy.Wcf.IMyService">
                <identity>
                    <dns value="localhost" />
                </identity>
            </endpoint>
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
        </service>
    </services>
</system.serviceModel>

But, despite the server being configured to allow Anonymous authentication and disable Windows authentication, all I get is the following exception message:

The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was ''

Note the empty authentication header. Googling for this was futile, as all responses had something in the quotes (despite using the phrasal search operator).

This is based on my client which has the following configuration:

<system.serviceModel>
    <bindings>
        <basicHttpBinding>
            <binding name="BasicHttpEndpoint">
                <security mode="Transport">
                    <transport clientCredentialType="None" />
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>
    <client>
        <endpoint address="https://xxx.local/xxx.yyy.Web.Mvc.Client/services/MyService.svc"
            binding="basicHttpBinding" bindingConfiguration="BasicHttpEndpoint"
            contract="MyService.IMyService" name="BasicHttpEndpoint" />
    </client>
</system.serviceModel>

Turning on Windows authentication works fine from a browser, but I don't want to have to send credentials.

It's as if WCF is ignoring my IIS configuration:

• Anonymous authentication
• Impersonation
• Basic authentication
• Forms authentication
• Windows authentication

Why could this be?

Interestingly, dropping a test.txt file in the same folder works fine with anonymous setting. It's as if this only effects WCF.

Answer 1

The issue was that configuring Anonymous authentication within IIS is not the only step.

The following removes the intranet-style denial rule from the /Services folder that contained my services.

  <location path="Services">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
      <identity impersonate="false" />
    </system.web>
  </location>

The net effect of this is that .NET assets within the /Services folder are permitted for Anonymous authentication.