Friday, December 9, 2011

WCF Web API security in a domain

I've been building REST services using WCF Web API for use in an intranet. Upon deployment from my desktop to a server I started experiencing the error below even though the hosting application, ASP.NET MVC 3, was successfully using Windows authentication.

System.NotSupportedException: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

A Google search shows that this isn't a novel situation, but I couldn't get the configuration and incantation right for Web API. Luckily, after a couple of hours of researching and fiddling with the web.config, I came across this post that revealed the solution to me.

When registering the service route:
var config = new HttpConfiguration();
   config.Security = (u, s) => {
      s.Transport.ClientCredentialType = System.ServiceModel.HttpClientCredentialType.Windows;
      s.Mode = HttpBindingSecurityMode.TransportCredentialOnly;

   routes.MapServiceRoute<YourType>("YourRoutePrefix", config);

I hope that this post saves someone some time.


  1. Thank you! I have been trying to figure this out all of yesterday. Works with self hosted HttpServiceHost.