How can I simultaneously authenticate to an IIS7-hosted javascript web client and WCF service using Windows Authentication?

Question

I have created and tested a WCF REST service that is protected with SSL and Windows Authentication through IIS 7. I have also created and tested a pure html/javascript web client that is hosted in IIS 7 that is protected with SSL and Windows Authentication -- same server, different "site" within IIS. The REST service is not public, but the web client is.

Without security, everything works beautifully, but now we are ready for field testing and security must be implemented.

My end goal is to have the user visit mywebclient.com and authenticate using their Active Directory accounts. Initially I thought it would be safe to leave the service calls from the client to the REST service unprotected (since the traffic from the web client to the web service would be internal), but this does not protect us from an internal attacker. Also, in the future, the REST services will be available to handhelds through native applications.

I've tried to gain as much information on this subject as possible, but every piece of Microsoft documentation contains client examples written in .NET.

How can I share the security context between these sites without converting the web client to a .NET-based application? Could this be accomplished by combining the web client and service into one IIS "site"?

Edit: If the client and service exist in the same app pool, does that mean they could share authentication information between client and server processes?

Answer 1

See this How can I pass windows authentication to webservice using jQuery? explains basically passing Windows Auth while accessing Service. But i am not sure your other parts of the questions answered though.