CORS preflight request returning HTTP 401 with windows authentication

Question

I searched a lot on Google and Stack overflow to find a solution for my problem, but nothing worked.

Here is my problem:

• I use IIS 7 with a special

Answer 1

From AhmadWabbi's answer, easy XML pasting into your web.config:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="CORS Preflight Anonymous Authentication" stopProcessing="true">
                <match url=".*" />
                <conditions>
                    <add input="{REQUEST_METHOD}" pattern="^OPTIONS$" />
                </conditions>
                <action type="CustomResponse" statusCode="200" statusReason="Preflight" statusDescription="Preflight" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>

Answer 2

All the answers that involve writing code, using the rewrite module, or hard-coding values in web.config were correct when they were written, but I believe the correct answer to this problem in 2020 is to use the official IIS CORS module. This will handle all the little gotchas like having to allow unauthenticated OPTIONS requests, without otherwise supporting unauthenticated users.

This related answer has some really great details about using this module, but the simplest configuration is right at the top:

  <system.webServer>
    <cors enabled="true">
      <add origin="*" allowCredentials="true" />
    </cors>
  </system.webServer>

I would certainly change the origin="*" to the specific origin you expect to use the API from. You can have more than one <add> tag, and the linked answer shows how to customize allowed headers, methods, etc. for each.

Answer 3

In order for your module to take precedence it will have to override any modules within IIS that may interfere. For instance, your web.config may need a or enable anonymous, and create an attribute for intercepting the traffic and filtering through as you need to.

Answer 4

Here is the solution that uses "URL Rewrite" IIS module. It works perfectly.

1- Stop IIS service (maybe not necessary)

2- Install "web platform installer" from https://www.microsoft.com/web/downloads/platform.aspx

3- Go to "Applications" tab and search for "URL Rewrite" and download it

4- Install this hotfix KB2749660 (maybe not necessary)

5- Open IIS configuration tool, double click "URL Rewrite"

6- Add a new blankrule

7- Give it any name

8- In "Match URL", specify this pattern: .*

9- In "Conditions", specify this condition entry: {REQUEST_METHOD} and this pattern: ^OPTIONS$

10- In "Action", specify: action type Personalized response, state code 200, reason Preflight, description Preflight

11- Start the server

Now, the server should reply with a 200 status code response to the preflight request, regardless of the authentication.

Remarks: I also disabled all compression, I don't know if it matters.