Configure WCF to ignore authentication requirements inside IIS

Scenario:

1. Two websites (example.com, admin.example.com) that share the same wwwroot folder.
2. example.com allows only anonymous access
3. admin.example.com allows only windows authentication.
4. /Service/Awesome.svc returns a json object

Accessing the Awesome service using example.com works, while admin.example.com throws a NotSupportedException; "Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service."

<system.serviceModel>
  <serviceHostingEnvironment aspNetCompatibilityEnabled="true"
                             multipleSiteBindingsEnabled="true" /&开发者_JS百科gt;

  <behaviors>
    <serviceBehaviors>
      <behavior name="serviceBehavior">
        <serviceMetadata httpGetEnabled="true" />
        <serviceDebug includeExceptionDetailInFaults="true" />
      </behavior>
    </serviceBehaviors>
    <endpointBehaviors>
      <behavior name="jsonBehavior">
        <enableWebScript />
      </behavior>
    </endpointBehaviors>
  </behaviors>

  <services>
    <service name="WcfServices.AwesomeService"
             behaviorConfiguration="serviceBehavior">
      <endpoint address="" binding="webHttpBinding" 
                contract="WcfServices.IAwesomeService" 
                behaviorConfiguration="jsonBehavior" />
    </service>
  </services>
</system.serviceModel>

How do I configure WCF to ignore the authentication requirement? I want the same behavior as if this were a web service or handler, just execute and return the awesome json object.

I think you're out of luck here. Give AWesome.svc anonymous access, and give anon access a user account that has no access to sensitive resources.

It sounds like you have two copies of the service, one under the website example.com and the other under admin.example.com. If admin.example.com needs IIS integrated (challenge/response) authentication then you're WCF service binding needs to be in Transport mode because IIS requires all admin.example.com resources to be Windows authentication. Try this configuration:

<bindings>
  <basicHttpBinding>
    <binding name="Binding1">
      <security mode="TransportCredentialOnly">
        <transport clientCredentialType="Windows" />
      </security>
    </binding>
  </basicHttpBinding>
</bindings>

If this doesn't work for you, you may want to try hosting the services in their own virtual directy so they are not at the mercy of what the website needs for security.

Good Luck.