I have found a way to get it to work. But is it meant to be done like this?

The WebServices directory in R2 is handled with VirtualPathProviders and is physically the "C:\Program\EPiServer\CMS\5.2.375.7\Application\WebServices" directory. If I add an empty "WebServices" directory in the root of the site-directory and then in the IIS settings change the directory security for the "WebServices" directory. I set authentication mode to be only "Basic authentication" and I set the "Default domain:" to our domain-name. I have to use the WindowsMembership/Role or MultiplexingMembership/Role providers. I can skip the "Default domain" value in the IIS settings if I use the usernameformat=DomainAndName on the WindowsMembershipProvider. I can only log in with a windows account. If I use an SqlMembership account there is not even a request to the server and the BasicAuthentication-module.

Is this how it is meant to be setup. Or is the problem that I am testing it on a domain. Normally the scenario, on a public site with formsauthentication, is that its not on a domain. Will the set up be easier on a server without domain?

Testing on a 2003 server and on my XP. IIS 6 I guess.

Anyone?

/Hans

Problem solved

When installing an EPiServer site the default IIS security settings are:
"Enable anonymous access" - enabled
"Integrated Windows authentication" - enabled

If "Integrated Windows authentication" is enabled the BasicAuthentication module want work. The "DecodeAuthenticationHeader" method in the BasicAuthentication module checks if the authentication-header starts with "Basic", if not it returns false and the user is never validated. If "Integrated Windows authentication" is enabled the authentication-header will start with "Negotiated" and the method will allways return false.

So if I disable "Integrated Windows authentication" on the site level I can use a SqlMemberShipProvider user to call the WebService.

Maybe this is obvious, but it wasn't for me.

/Hans