When hosting WCF services in IIS we would ideally want to disable anonymous authenticaion on a website when there are other resources or type of endoints being hosted on that site. The solution to this is not quite obvious.The problem basically is that we have a situation where there are double identities coming into play. Basically this is because the message identintiy for message secuirty and the transport identity from IIS, both come into the picture and WCF doest know which one to pick and hence falls back to anonymous and then you get this exception.
“Cannot start impersonation because the SecurityContext for the UltimateReceiver role from the request message with the 'http://tempuri.org/<Service>/<Action>' action is not mapped to a Windows identity.”
I was out the whole day trying to figure out how can i get this thing working. Finally Wenlong put up a full post "Impersonation with Double Identities" that explained this whole scenario.
But if you just want to get your binding up and running with impersonation and message level security this should work with anonymous authentication.
Pleaes note that you dont need to enable integrated windows authentication for this to work and SspiNegotiated will take care of this and your identity will flow through even if your Virtual directory is not setup with integrated windows authentication.