Does WCF on IIS needs Anonymous Authentication?

One of this days, I had this conversation with one of my colleagues where he was saying that you need to enable Anonymous Authentication on IIS in order to host a WCF Service in IIS.

In fact I was surprised for the large number of people that still believe that is indeed a requirement.

So lets try to shed some light on this by saying from the start that, it is not true that you have to enable anonymous in order to host WCF in IIS.

Left this said, lets elaborate a little bit more about it.

Its true that indeed there are some restrictions when you configure WCF Bindings though.

So, here is what you need to be aware of.

Your settings for your WCF bindings should be compatible with IIS settings. This makes sense, right? I mean, if you want to enable Transport Layer Authentication in your WCF Binding, you have to do so to the virtual application in IIS.

For example, when you use BasicHttpBinding, you can enable the Transport Layer Authentication by setting the security Mode to "TransportCredentialOnly", in this case you can disable Anonymous Authentication on IIS.

However, there is one special case.

If you are using WsHttpBinding over HTTP instead of HTTPS, you would have to enable Anonymous Authentication on IIS. This is because none of the security modes for WsHttpBinding allows you to configure transport-layer authentication over HTTP, which has been implemented in BasicHttpBinding.

Of course, you can solve this by using either BasicHttpBinding or CustomBinding.

Please keep in mind however that this is not a limitation, in fact, it tries to reduce confusion since you would use either SSL as Transport Layer Security or Message security with WsHttpBinding.