You might get a "Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service." exception when configuring security for WCF services. The reason for such an error is simple: you are exposing an endpoint that requires anonymous auth and anonymous access is not allowed on the hosting web site or virtual directory. Chances are that the offending endpoint is your metadata exchange endpoint. Once you remove this endpoint or you configure a different authentication for it, the error should disappear.