Add the following in web.config under < connectionStrings />:
In IIS make sure anonymous authentication is enabled, and basic authentication is disabled.
<!-- restrict api help with AD basic auth -->
<location path="help">
<system.web>
<authorization>
<deny users="?" /> <!-- deny anonymous users -->
</authorization>
</system.web>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="" roles="ApiUsers" />
</authorization>
<authentication>
<basicAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>