I have a set of IIS7-hosted net.tcp WCF services that serve my ASP.NET MVC web application. The web application is accessed over the internet.

WCF Services (IIS7) <--> ASP.NET MVC Application <--> Client Browser

The services are username authenticated, the account that a client (of my web application) uses to logon ends up as the current principal on the host.

I want one of the services to be authenticated differently, because it serves the view model for my logon view. When it's called, the client is obviously not logged on yet. I figure Windows authentication serves best or perhaps just certificate based security (which in fact I should use for the authenticated services as well) if the services are hosted on a machine that is not in the same domain as the web application.

That's not the point here though. Using multiple TCP bindings is what's giving me trouble. I tried setting it up like this:

<bindings>
  <netTcpBinding>
    <binding>
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName"/>
      </security>
    </binding>
    <binding name="public">
      <security mode="Transport">
        <message clientCredentialType="Windows"/>
      </security>
    </binding>
  </netTcpBinding>
</bindings>

The thing is that both bindings don't seem to want live together in my host. When I remove either of them, all's fine but together they produce the following exception on the client:

The requested upgrade is not supported by 'net.tcp://localhost:8081/Service2.svc'. This could be due to mismatched bindings (for example security enabled on the client and not on the server).

In the server trace log, I find the following exception:

Protocol Type application/negotiate was sent to a service that does not support that type of upgrade.

Am I looking into the right direction or is there a better way to solve this?