Silveright, Ria Services, and Windows Authentication

Obviously there's a ton of sites on the web showing you how to's for ria services and forms authentication. Unfortunately I have not found one that has complete information in regards to using silverlight, ria services and windows authentication; and ending up with a complete working web site in the end. So that's what I'm going to post about here. Having said that I did find these really good posts that talk about a lot of the core things you need to know: http://mtaulty.com/CommunityServer/blogs/mike_taultys_blog/archive/2010/07/02/silverlight-and-wcf-ria-services-5-authentication.aspx, http://ajdotnet.wordpress.com/2010/08/08/silverlight-and-integrated-authentication, http://openlightgroup.net/Blog/tabid/58/EntryId/55/RIA-Services-Windows-Authentication-amp-GetUser-Error.aspx. Check those out if you get lost from my instructions or you want to know the why and not just the how.
I'm assuming you've already got your code written and set up. If you have not refer to the links above for help on how to do that. Now let me just get to the point, you need to make sure you set the following settings correctly:


1. Open your web.config file for your ria services project and make certain you have the following entries correctly inserted within your system.web section
<authentication mode="Windows" /> 
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>
<profile enabled="false" />
The first entry sets up the web site to use windows authentication as opposed to forms. The second line is needed if you will be making calls to methods like IsInRole. So that those calls will check for AD groups instead of forms based Roles. And finally the third entry is to turn off profiles, which if you're using windows authentication of course you will not use.

2. Next step is to set up Ria Services on your server. It is possible to include the ria services dll's in your project bin folder, but I prefer installing them to the system Gac of the server. To do this simply run this command from the command line: msiexec /i RIAServices.msi SERVER=true. If you want to install to the bin or need more detail go here.

3. Next check your settings on the server and confirm that your IIS server (I'm using win server 2008 and IIS 7 for this example) has windows authentication installed. If not, install the windows authentication module from the features section of the server manager tool. Next make sure you enable the module at the web site level from your IIS administrator console. Note afterwards you may need to reboot or restart IIS. More detail on how to perform these steps can be found here.

4. Now here's the final issue and it's fix. The default requirement for wcf services is to use anonymous authentication. But the problem is that you cannot simultaneously enable both anonymous and windows authentication for this type of site. However it turns out you only need the anonymous authentication in order to provide the mex metadata information to clients that want to access your web service's metadata info so that they can create a proxy. But if you're using Visual Studio it will still be able to create your proxy without it, as explained here. So turn off your mex endpoint by commenting it out or removing it from the services section of your web.config. Also make sure you make the httpTransport node's authentication scheme's value Negotiate like this 

<httpTransport authenticationScheme="Negotiation" />
(this can be found in the customBinding section of your web.config file.

And that's it! Good luck.