We have multiple web services that provide access to some large data extractions. They're implemented as http handlers, so we can stream the result directly into the response stream. We already have anonymous and HTTP basic authentication working on a single endpoint. We would now like to add Windows Authentication, so internal users can get access to all the same data that they can get from the internal web app.
However, I can only get Windows Authentication working if I disable anonymous authentication in IIS's configuration. Obviously, this means that anonymous requests to this endpoint stop working. I didn't test HTTP Basic, but I would guess they would stop working too.
I know we could create a new endpoint, just for Windows authenticated requests. But, is there any way to get it to work with a single endpoint, like we already have with anonymous and basic authentication?
Since anonymous is enabled, users can't make authenticated requests with their web browser, but we're fine with this limitation. I tried creating a HTML page that makes a XHR request and set withCredentials to true, but the web service only sees the username when anonymous auth is disabled in IIS. I also created a console app that tries to force network credentials in different ways. But again, the web service only sees the username when anonymous requests are disabled.
Does anyone know if it's possible to achieve anonymous and Windows authentication on a single URL?
