Search code examples
iiscorswindows-authenticationpreflight

CORS preflight request returning HTTP 401 with windows authentication

I searched a lot on Google and Stack overflow to find a solution for my problem, but nothing worked.

Here is my problem:

  • I use IIS 7 with a special programming environment called WebDEV that does not allow direct manipulation of OPTIONS HTTP method. So, all solutions suggesting some kind of server-side request handling using code are not feasible.

  • I have to use Window authentication and disable anonymous access

  • I have a page that uses CORS to POST to this server. As this POST should have Content-type: Octet-stream, a preflight is issued by the browser.

  • When I enable anonymous access, everything works fine (CORS is well configured)

  • When I disable anonymous access, the server replies with HTTP 401 unauthorized response to the preflight request, as it does not contain credentials information.

  • I tried to write a module for IIS that accepts OPTIONS requests like this, but it did not work (couldn't add the module correctly to IIS, maybe)

    public class CORSModule : IHttpModule
   {

          public void Dispose() { 
          }

          public void Init(HttpApplication context)
          {
               context.PreSendRequestHeaders += delegate
               {
                  if (context.Request.HttpMethod == "OPTIONS")
                   {
                         var response = context.Response;
                         response.StatusCode = (int)HttpStatusCode.OK;
                   }
               };
          }
    }

The question is: How can I make IIS respond with HTTP 200 to the preflight request without enabling anonymous access or writing some server-side code? Is there an easy configuration or a ready-made module for IIS to do so? At least, what are the detailed steps to install the above module into IIS 7?

Solution

  • Here is the solution that uses "URL Rewrite" IIS module. It works perfectly.

    1- Stop IIS service (maybe not necessary)

    2- Install "web platform installer" from https://www.microsoft.com/web/downloads/platform.aspx

    3- Go to "Applications" tab and search for "URL Rewrite" and download it

    4- Install this hotfix KB2749660 (maybe not necessary)

    5- Open IIS configuration tool, double click "URL Rewrite"

    6- Add a new blankrule

    7- Give it any name

    8- In "Match URL", specify this pattern: .*

    9- In "Conditions", specify this condition entry: {REQUEST_METHOD} and this pattern: ^OPTIONS$

    10- In "Action", specify: action type Personalized response, state code 200, reason Preflight, description Preflight

    11- Start the server

    Now, the server should reply with a 200 status code response to the preflight request, regardless of the authentication.

    Remarks: I also disabled all compression, I don't know if it matters.