Aug 30, 2016

CORS with IIS

I've struggled quite a bit to get CORS working with an .NET web application hosted by IIS, but finally got it working with Windows authentication.

Here are the necessary requirements:

  1. The application pool must be running in Integrated mode, not Classic mode.
  2. You have to add a simple  HTTP module to your web service C# code to respond to the OPTIONS call without authentication: 
  3. public class CORSModule : IHttpModule
    {
        public void Dispose() { }
     
        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += delegate
            {
                if (context.Request.HttpMethod == "OPTIONS")
                {
                    var response = context.Response;
                    response.StatusCode = (int)HttpStatusCode.OK;
                }
            };
        }
    }
     
  4. You need to add these Header lines to the web.config:
  5. <?xml version="1.0" encoding="utf-8"?>
    <configuration>
     <system.webServer>
      <httpProtocol>
         <customHeaders>
            <add name="Access-Control-Allow-Origin" value="https://myserver" />
            <add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
            <add name="Access-Control-Allow-Headers" value="Accept,Authorization,Content-Type,SOAPAction,X-RequestDigest" />
     <add name="Access-Control-Request-Headers" value="Content-Type,Authorization,Accept,SOAPAction,X-Requested-With" />
            <add name="Access-Control-Allow-Credentials" value="true" />
          </customHeaders>
        </httpProtocol>
      <modules>
        <add name="CORSModule" type="CORSModule" />
      </modules>
      </system.webServer>
    </configuration>
    </configuration>
     
  6. You need to add the "WithCredentials: true" to your JavaScript Ajax call to pass the Windows credentials if you're using Windows authentication.