Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service

When host WCF service on IIS, you may encounter this issue. Of course we can simply enable Anonymous Authentication on IIS to resolve this issue.

However, sometimes we don't want to enable Anonymous Authentication on IIS, then we need to adjust the service security settings to fix this issue. What is security settings will require Anonymous Authentication? Let us check the following sample:

<?xml version="1.0"?>
<configuration>

  <system.web>
    <compilation debug="true" targetFramework="4.0" />
  </system.web>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="TestBinding">
          <security mode="Transport">
            <transport clientCredentialType="None"></transport>
          </security>
          <security mode="Message">
            <message clientCredentialType="UserName"/>
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <services>
      <service name="WcfServiceTest.IServices1" behaviorConfiguration="TestBehaviro">
        <endpoint address="" binding="basicHttpBinding" bindingConfiguration="TestBinding" contract="WcfServiceTest.IService1"></endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetaDataExchange"></endpoint>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="TestBehavior">
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpGetEnabled="true"/>
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
  </system.serviceModel>
 <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>
  
</configuration>

The setttings require Anonymous Authentication:

1. Message security always require Anonymous Authentication

          <security mode="Message">
            <message clientCredentialType="UserName"/>
          </security>

2. HttpClientCredentialType.None specifie Anonymous Authentication

          <security mode="Transport">
            <transport clientCredentialType="None"></transport>
          </security>

Note: Transport and Message securities are not allow to being used together in earlier .Net version.

3. MetaDataExchane endpoint require Anonymous Authentication

        <endpoint address="mex" binding="mexHttpBinding" contract="IMetaDataExchange"></endpoint>

Above are all I found by performing some testing, I am not 100% sure it is correct. But is helps me resolve this issue at least.