Menu
I'm trying to enable CORS support in my WebAPI project, and if I enable Anonymous Authentication then everything works fine, but with Windows Auth + disabled anonymous authentication, the OPTIONS request sent always returns a 401 unauthorized response. The site requesting it is on the DOMAIN so should be able to make the call, is there any way to get around the issue without disabling Windows Authentication?
257
The HTTP status and sub status are 401.1, which maps to Access Denied due to Invalid credentials.
You can allow only OPTIONS verb for anonymous users.
<system.web> <authentication mode="Windows" /> <authorization> <allow verbs="OPTIONS" users="*"/> <deny users="?" /> </authorization> </system.web> According W3C specifications, browser excludes user credentials from CORS preflight: https://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#preflight-request
61
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
