CORS preflight request returning HTTP 401 with windows authentication

Question

I searched a lot on Google and Stack overflow to find a solution for my problem, but nothing worked.

Here is my problem:

• I use IIS 7 with a special programming environment called WebDEV that does not allow direct manipulation of OPTIONS HTTP method. So, all solutions suggesting some kind of server-side request handling using code are not feasible.

• I have to use Window authentication and disable anonymous access

• I have a page that uses CORS to POST to this server. As this POST should have Content-type: Octet-stream, a preflight is issued by the browser.

• When I enable anonymous access, everything works fine (CORS is well configured)

• When I disable anonymous access, the server replies with HTTP 401 unauthorized response to the preflight request, as it does not contain credentials information.

• I tried to write a module for IIS that accepts OPTIONS requests like this, but it did not work (couldn't add the module correctly to IIS, maybe)

  public class CORSModule : IHttpModule
     {
  
            public void Dispose() { 
            }
  
            public void Init(HttpApplication context)
            {
                 context.PreSendRequestHeaders += delegate
                 {
                    if (context.Request.HttpMethod == "OPTIONS")
                     {
                           var response = context.Response;
                           response.StatusCode = (int)HttpStatusCode.OK;
                     }
                 };
            }
      } 
  

The question is: How can I make IIS respond with HTTP 200 to the preflight request without enabling anonymous access or writing some server-side code? Is there an easy configuration or a ready-made module for IIS to do so? At least, what are the detailed steps to install the above module into IIS 7?

Answer 1

Here is the solution that uses "URL Rewrite" IIS module. It works perfectly.

1- Stop IIS service (maybe not necessary)

2- Install "web platform installer" from https://www.microsoft.com/web/downloads/platform.aspx

3- Go to "Applications" tab and search for "URL Rewrite" and download it

4- Install this hotfix KB2749660 (maybe not necessary)

5- Open IIS configuration tool, double click "URL Rewrite"

6- Add a new blankrule

7- Give it any name

8- In "Match URL", specify this pattern: .*

9- In "Conditions", specify this condition entry: {REQUEST_METHOD} and this pattern: ^OPTIONS$

10- In "Action", specify: action type Personalized response, state code 200, reason Preflight, description Preflight

11- Start the server

Now, the server should reply with a 200 status code response to the preflight request, regardless of the authentication.

Remarks: I also disabled all compression, I don't know if it matters.

Answer 2

From AhmadWabbi's answer, easy XML pasting into your web.config:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="CORS Preflight Anonymous Authentication" stopProcessing="true">
                <match url=".*" />
                <conditions>
                    <add input="{REQUEST_METHOD}" pattern="^OPTIONS$" />
                </conditions>
                <action type="CustomResponse" statusCode="200" statusReason="Preflight" statusDescription="Preflight" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>

Answer 3

In order for your module to take precedence it will have to override any modules within IIS that may interfere. For instance, your web.config may need a or enable anonymous, and create an attribute for intercepting the traffic and filtering through as you need to.