I've enabled Windows authentication as described here

It all works fine, there's just a tiny issue: Doing so makes every controller method protected by windows authentication. NO problem I thought, just use the [AllowAnonymous] adorner on the few controller methods where anonymous access is okay, but that won't work.

Is there any way to get the self-host to not authorized every method on every controller?

You have to enable Windows auth and anonymous auth. documentation. As is, you have told Owin to require Windows auth and disallow anything else.

In the code you cited, you would change this:

listener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication 
                               | AuthenticationSchemes.Anonymous;