If an non-authenticating internal service is also published to an external audience, and authentication is desired in the latter situation....then the same service will need to
