We had a hair-pulling situation that we finally figured out (when I say we, I mean my buddy Scott Jamison ).
At one of our client sites, any attempt to browse to a WCF service (any svc page in the /_vti_bin/ library), we were met with an access denied screen.
We blamed everything, claims, WCF registration, .NET 4.0, the guy sitting next door. We ripped apart the web.config for the web app, and various other web.config files. With no resolution, we tried installing the ADO.NET data services thinking that might fix it. Nope.
So our next move was to create another web app, and test the virtual services against that.
Testing the WCF services against the new web application was successful! So what’s the difference? They were both created through the UI.
We compared the web.configs, but found nothing obvious. Then we compared the IIS settings; this is where Scott discovered the problem. The rogue web app had anonymous disabled.
Enabling anonymous and resetting IIS fixed the problem. Doh! Not sure why this web app had anonymous disabled, but that indeed was the problem.