I did some experimentation today with authentication over http.
Using the System.Net.WebClient class I made requests against both a HttpListener based server and WCF service contract using webHttpBinding.
With HttpListener I can get Basic authentication and WindowsIntegratedAuthentication working just fine. With WebHttpBinding I cannot get either. I am aware that with WebHttpBinding over https you can do Basic Auth. I haven’t tried WindowsIntegratedAuthentication over https. I do understand the logic behind disallowing clear text passwords to be sent without any encryption but it is not that unusual a scenario (Twitter, POP, FTP). I’m not sure that it is Microsoft’s job to be the police in this situation.
What is even more cool is that I can connect to an HttpListener server over a VPN connection and I get the domain account of the remote user.
I was not able to implement both Basic and WindowsIntegrated at the same time. However, I did find AuthenticationSchemeSelectorDelegate which sounds very promising.