I wrote here that WCF 3.5 now supports usernames over transport security. This does not work for IIS hosted services though.

The problem is this:

When you set the clientCredentialType on the binding to Basic, you also have to enable Basic Authentication in IIS for the .svc file. Otherwise you will get this error:

“Security settings for his service require ‘Basic’ Authentication but it is not enabled for the IIS application that hosts this service.”

But when you enable Basic Auth in IIS, the request will bounce already at the IIS level because the custom credentials don’t map to a Windows account. bummer.

That said – you can get Basic Authentication for custom accounts to work in IIS by plugging into the ASP.NET pipeline. I have a proof of concept implementation of that in my book and a complete implementation (including IIS7 UI integration) somewhere on my hard drive. Will post that when I find time.