I have several WCF wsHttp services using Transport security over an SSL connection. Presently I use "Windows" for the clientCredentialType and all has worked fine with exception of one scenario where my e-commerce site (its own SSL) had a problem communicating with the other server via SSL and I had to create a separate service and use Basic for the clientCredentialType.

I don't want anonymous connections so I have Basic and Windows Authentication enabled in IIS 7.5 on the WCF service site.

Is one better than the other regarding security? Windows vs. Basic? If not then it seems like I should just change everything to Basic and then I can eliminate my duplicated service configuration for the e-commerce issue.

I don't use ActiveDirectory and I just wanted to minimize all risk of someone sniffing the calls. Anyone have an opinion on the clientCredentialType setting I should use?

Thank you.