The problem was that the .ashx handler allows anonymous access but Windows Authentication will not even pass the WindowsIdentity
along if the handler allows anonymous access. What I did to fix this is to create 2 handler entries in the web.config that point to the same handler class:
<add name="AnonymousHandler" verb="GET" path="*/AnonymousHandler.ashx"
type="MyLibrary.MyHandler, MyHandler, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=12e530ccad45314d"/>
<add name="AuthenticatedHandler" verb="GET" path="*/AuthenticatedHandler.ashx"
type="MyLibrary.MyHandler, MyHandler, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=12e530ccad45314d"/>
then I denied anonymous access to the authenticated version:
<location path="AuthenticatedHandler.ashx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>