Access denied when trying to access a WCF service in SharePoint 2010

We had a hair-pulling situation that we finally figured out (when I say we, I mean my buddy Scott Jamison ).

Problem

At one of our client sites, any attempt to browse to a WCF service (any svc page in the /_vti_bin/ library), we were met with an access denied screen.

We blamed everything, claims, WCF registration, .NET 4.0, the guy sitting next door.  We ripped apart the web.config for the web app, and various other web.config files.  With no resolution, we tried installing the ADO.NET data services thinking that might fix it.  Nope.

Resolution

So our next move was to create another web app, and test the virtual services against that. 

Note: When we created the new web app, it complained about duplicate sections in web.config.  This turned out to be the .NET 4.0 CLR was applied to the application pool instead of 2.0.  This can be changed in IIS and the default CLR can be set back to 2.0.

Testing the WCF services against the new web application was successful!  So what’s the difference?  They were both created through the UI.

We compared the web.configs, but found nothing obvious.  Then we compared the IIS settings; this is where Scott discovered the problem.  The rogue web app had anonymous disabled. 

Enabling anonymous and resetting IIS fixed the problem.  Doh!  Not sure why this web app had anonymous disabled, but that indeed was the problem.

Thanks to Scott, Mark, James, and Sean for figuring this out.