I have a WCF 4 service which is in a Secure subfolder, accessible after the client has authenticated using Forms authentication using the .NET AuthenticationService.

This WCF service is for a mobile app client which communicates via json but is not an ASP.NET app. I have successfully configured the service to use json and the AuthenticationService has the standard configuration as documented in many places e.g. http://msdn.microsoft.com/en-us/library/bb398990.aspx

The docmentation for the AuthenticationService says "The application must be able to send and consume a SOAP message". However I want the client to be able to use json for authentication as well. Is this possible? What's the configuration required?

I found this article http://weblogs.asp.net/asptest/archive/2008/12/09/working-with-the-asp-net-ajax-authentication-service.aspx so it looks like the AuthenticationService can handle json but it uses Client Application Services. The mobile app client is not an ASP.NET app.

Yes the AuthenticationService can handle JSON. There are a couple of ways to do. Here is a sample configuration I've used in the past using the element.

<system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>

    <services>
      <service name="System.Web.ApplicationServices.AuthenticationService" behaviorConfiguration="MyServiceBehavior">
        <endpoint address="" behaviorConfiguration="ajaxBehavior"
                  contract="System.Web.ApplicationServices.AuthenticationService"
                  binding="webHttpBinding" bindingConfiguration="webHttpBindingSecure"
                  bindingNamespace="http://asp.net/ApplicationServices/v200"/>
      </service>
    </services>

    <behaviors>
      <endpointBehaviors>
        <behavior name="ajaxBehavior">
          <enableWebScript/>
        </behavior>

      </endpointBehaviors>
      <serviceBehaviors>

        <behavior name="MyServiceBehavior">
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>

    <bindings>
      <webHttpBinding>
        <binding name="webHttpBindingSecure">
          <security mode="Transport"/>
        </binding>
      </webHttpBinding>
    </bindings>
</system.serviceModel>

The question is old for long time but I think it will help someone if I post my answer.

For sure you can return json for AuthenticationService. The solution is very simple like Garret answer, you only need configure another endpoint like this but you need add 2 addition attributes for endpoint behaviors: defaultOutgoingResponseFormat="Json" and defaultBodyStyle="Wrapped" to overwrite default soap response.

<system.serviceModel>
<services>
  <service behaviorConfiguration="AuthenticationServiceBehaviors" name="System.Web.ApplicationServices.AuthenticationService">
    <endpoint address="" behaviorConfiguration="ajaxBehavior"
               contract="System.Web.ApplicationServices.AuthenticationService"
               binding="webHttpBinding" bindingConfiguration="RestBinding"
               bindingNamespace="http://asp.net/ApplicationServices/v200"/>
  </service>
</services>
<bindings>
      <webHttpBinding>
    <binding name="RestBinding" />
  </webHttpBinding>
</bindings>

<behaviors>
  <endpointBehaviors>
    <behavior name="ajaxBehavior">
      <webHttp helpEnabled="true" defaultOutgoingResponseFormat="Json" defaultBodyStyle="Wrapped" />
    </behavior>
  </endpointBehaviors>
  <serviceBehaviors>
    <behavior name="AuthenticationServiceBehaviors">
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
      <serviceDebug includeExceptionDetailInFaults="true" />
    </behavior>
  </serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true" />

I hope this help someone who want to expose asp.net membership as json format to use in mobile app.