401 response for CORS request in IIS with Windows Auth enabled

iis-7.5 windows-authentication asp.net-web-api ntlm cors
dariusriggins picture dariusriggins · May 23, 2012 · Viewed 46.9k times · Source

I'm trying to enable CORS support in my WebAPI project, and if I enable Anonymous Authentication then everything works fine, but with Windows Auth + disabled anonymous authentication, the OPTIONS request sent always returns a 401 unauthorized response. The site requesting it is on the DOMAIN so should be able to make the call, is there any way to get around the issue without disabling Windows Authentication?

Answer

Jan Remunda picture Jan Remunda · Sep 15, 2014

You can allow only OPTIONS verb for anonymous users. 

<system.web>
  <authentication mode="Windows" />
    <authorization>
      <allow verbs="OPTIONS" users="*"/>
      <deny users="?" />
  </authorization>
</system.web>

According W3C specifications, browser excludes user credentials from CORS preflight: https://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#preflight-request

Related questions

Unable to authenticate to ASP.NET Web Api service with HttpClient

I have an ASP.NET Web API service that runs on a web server with Windows Authentication enabled. I have a client site built on MVC4 that runs in a different site on the same web server that uses the …

Read More
Does an IIS 7.5 web app with windows authentication require end users to have file permissions?

Short version: For IIS 7.5 web applications with Windows Authentication does the end user need to have Read file access? Long version: I have an intranet ASP.NET web app that uses windows authentication. It's installed at dozens of different companies …

Read More
Impersonate Domain User with Integrated Pipeline

In an local Intranet environment, are we doomed to use "Classic" pipeline mode in our App Pool if we want to use Impersonate our Windows domain users, or is there a new way to declaratively "run as" them (so-to-speak)? My …

Read More