Silverlight and WCF with Windows Authentication

I have a Silverlight application in an ASP.NET web application. I then have a WCF Service Library hosted in an ASP.NET application. I have set up security as TransportWithCredentialOnly and Windows authentication. This is an Intranet scenario.

In IIS7 on a test server I have Anonymous Authentication disabled and Windows Authentication enabled. With this set up the WCF calls fail.

If I enable Anonymous Authentication then it works. What is the point of Windows Authentication if Anonymous Authentication cannot be disa开发者_StackOverflow中文版bled.

When I used Web Helper in IE it seemed that there was a call to the service similar to when you get the service definition and this need the Anonymous Authentication. I presume then that the actual calls to the Service methods will still be authenticated correctly.

Can anyone please shed some light on this as I am confused. We will be having penetration testers in a few months and I fear that they will not like the idea that they can see the service call in Fiddler or similar which they can then copy and paste into the address bar to get the service definition. Having worked with them before they are very particular and any information they can get from an app is a minus mark. In my particular industry security is extremely important.

If I am doing this wrong any help would be greatly appreciated.

I already struggled with the same problem. I fixed my problem by modifying my web.config file . Here is what I have below.

I hope that will help you!

Good luck.

<system.serviceModel>
    <bindings>
      <customBinding>
        <binding name="MyAp.Web.Services.MyAppSvc.customBinding0">
          <binaryMessageEncoding>
            <readerQuotas maxStringContentLength="2147483647" maxArrayLength="2147483647" />
          </binaryMessageEncoding>
          <httpTransport maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" authenticationScheme="Ntlm" unsafeConnectionNtlmAuthentication="true" />
        </binding>
      </customBinding>
    </bindings>
    <services>
      <service name="MyApp.Web.Services.MyAppSvc">
        <endpoint address="" binding="customBinding" bindingConfiguration="MyApp.Web.Services.MyAppSvc.customBinding0" contract="MyApp.Web.Services.MyAppSvc" />
        <!--<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>-->
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="false" />
          <dataContractSerializer maxItemsInObjectGraph="2147483647" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
  </system.serviceModel>