WCF: Using IIS and Windows Authentication to Secure WCF Services

If you try to get Windows Authentication working in IIS for a WCF service (including the one I showed you earlier), you may get the following error:

Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

The problem here is that IIS and WCF are fighting over security. You’ve told IIS to prevent Anonymous access and use Windows Authentication instead. WCF, however, knows nothing about this. The answer is simple. Change your web.config file like so:

<?xml version="1.0"?> 
      <service behaviorConfiguration="basicBehavior" name="WCFTest.Test"> 
        <endpoint address="" binding="basicHttpBinding" contract="WCFTest.Test" bindingConfiguration="basicBinding" /> 
        <endpoint address="mex" binding="basicHttpBinding" contract="IMetadataExchange" bindingConfiguration="basicBinding" /> 
        <behavior name="basicBehavior"> 
          <serviceMetadata httpGetEnabled="true" /> 
        <binding name="basicBinding"> 
          <security mode="TransportCredentialOnly"> 
            <transport clientCredentialType="Windows"/> 


The key change here is a new binding configuration called basicBinding. Have a look at the <security> and <transport> nodes. These tell WCF that security will be handled by the transport layer, that only credentials will be confirmed, and that it should quit worrying and get back to work.


  1. thanks for the info, very helpful

  2. how can I read windows credentials received on the server? I'd like to read into server method credentials sent by client

  3. This doesn't work if your client is Silverlight 3. Any ideas?!

  4. Thank You it is working but by adding


    web.config file will have two end points at client side when added service reference. I am getting this error
    "error WCF:More than one endpoint configuration for that contract was found"

    I deleted extra end point (mex) in the web.config at client side and it is working but I didn't understand why it should be added at Service Side and Delete at Client Side ??


Copyright © 2010 Paul Guenette and Matthew Sleno.