Allow any user to access 'signalr/hubs' without credentials, using cors (server runs windows authentication)

Question

I have two servers

1. SignalR host (windows authentication, IIS)
2. Rest of the web page host (forms authentication, IIS)

I have set it all up and it works with longpolling in Chrome. (1) asks for username and password when using Firefox and navigating to https://localhost:44301/signalr/hubs.

(1) uses windows authentication. I have tried to avoid authentication by doing the following in web.config:

<location path="signalr">
  <system.web>
     <authorization>
        <allow users="*" />
     </authorization>
  </system.web>
</location>

But SignalR is not a path, because this is generated automatically. I have also tried to do this to expose the hubs, to no avail:

<location path="~/Hubs">
  <system.web>
     <authorization>
        <allow users="*" />
     </authorization>
  </system.web>
</location>

Could anyone help me find a way to remove authentication from https://localhost:12321/signalr/* ? (this includes all signalr/negotiate calls ++ also)

Answer 1

Try

<allow users="?"/> 

as it allows anonymous, with asterix "*" you allow "All users".