The web is great for learning patterns and practices when you are planning to deploy a solution. With Silverlight learning how to configure IIS for best results in a very secured environment is  a huge task, what happens if you just configure IIS to access Windows Authentication, would the request from Silverlight for the clientaccesspolicy.xml or the crossdomain.xml file are being requested with your Windows Authentication over a few firewalls?

Integrated Windows authentication does not work across proxy servers or other firewall applications.

If integrated Windows authentication fails, due to improper user credentials or some other problem, the browser will prompt the user to enter their user name and password.

So if is Silverlight requesting that file protected by Integrated Windows authentication in a background thread, the browser will not display the prompt, therefore, Silverlight won’t access that resource and your application will fail miserably.

Knowing how to configure IIS for Silverlight is the key and some trade off should be provided. Below I tried to gather all the good patterns and practices from Microsoft to configure your IIS, I could not find specific patters for Silverlight and IIS. Yet I believe there is enough information to understand the best way to secure your resources without kicking Silverlight out. 

IIS and Anonymous is the most used setting, removing it will cause many issues to your resources to run, understanding how to lock it is maybe the best way to keep your application pool running.

Anonymous access, the most common Web site access control method, allows anyone to visit the public areas of your Web sites. In IIS 6.0, anonymous users are assigned by default to the IUSR_computername account, which is a valid Windows account that is a member of the Guests group. The IUSR_computername account can be defined on a computer or on a domain.

IIS Best Practices

• Restrict write access permissions for the IUSR_computername account. This will help limit the access anonymous users have to your computer.

• Store executable files in a separate directory. This makes it easier to assign access permissions and audit for administrators.

• Create a group for all anonymous user accounts. You can deny access permissions to resources based on this group membership.

• Deny execute permissions for anonymous users to all executables in Windows directories and subdirectories.

 

Preventing Anonymous Access in HTTP and HTTPS by Nicholas Allen.

Disabling anonymous access requires coordinating the settings in IIS and in your service configuration. Those two sources must be in agreement about whether anonymous access is expected. IIS is already using Windows authentication in this case, so let's look at what needs to happen to the service configuration file. I'm assuming that this is IIS6 so the only network transport we're talking about here is HTTP.

 

Configuring Anonymous Authentication

By default, the IUSR_computername account is included in the Windows user group Guests. You can create multiple anonymous accounts, one for each Web or FTP site, directory, or file. By giving these account differing access permissions, or by assigning these accounts to different Windows user groups, you can grant users anonymous access to your different areas of your public Web and FTP content.

The anonymous account must have the user right to log on locally. If the account does not have the Log On Locally permission, IIS will not be able to service any anonymous requests. The IUSR_computername accounts on domain controllers are not assigned this right by default and must be changed to Log On Locally to allow anonymous requests.

You can also change the security privileges for the IUSR_computername account in Windows. However, if the anonymous user account does not have permission to access a specific resource, your Web server will refuse to establish an anonymous connection for that resource. For more information, see Setting Web Server Permissions.

To change the account used for anonymous authentication

1. In the Internet Information Services snap-in, select a site, directory, or file, and open its property sheets.
2. Select the appropriate Directory Security or File Security property sheet. Under Anonymous Access and Authentication Control, click Edit.
3. In the Authentication Methods dialog box, under Anonymous access, click Edit.
4. In the Anonymous User Account dialog box, either type in, or Browse to, the valid Windows user account you want to use for anonymous access.
5. Clear the Allow IIS to control password check box to enter the account's password.

Important   If you change the IUSR_computername

Configuring Integrated Windows Authentication

Integrated Windows authentication does not work across proxy servers or other firewall applications.

If integrated Windows authentication fails, due to improper user credentials or some other problem, the browser will prompt the user to enter their user name and password.

Only Microsoft Internet Explorer, version 2.0 or later, supports integrated Windows authentication.

Configure IIS to host Silverlight applications

http://silverlight.net/forums/t/479.aspx

 

Cheers

Al