Aug 30, 2016


I've struggled quite a bit to get CORS working with an .NET web application hosted by IIS, but finally got it working with Windows authentication.

Here are the necessary requirements:

  1. The application pool must be running in Integrated mode, not Classic mode.
  2. You have to add a simple  HTTP module to your web service C# code to respond to the OPTIONS call without authentication: 
  3. public class CORSModule : IHttpModule
        public void Dispose() { }
        public void Init(HttpApplication context)
            context.PreSendRequestHeaders += delegate
                if (context.Request.HttpMethod == "OPTIONS")
                    var response = context.Response;
                    response.StatusCode = (int)HttpStatusCode.OK;
  4. You need to add these Header lines to the web.config:
  5. <?xml version="1.0" encoding="utf-8"?>
            <add name="Access-Control-Allow-Origin" value="https://myserver" />
            <add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
            <add name="Access-Control-Allow-Headers" value="Accept,Authorization,Content-Type,SOAPAction,X-RequestDigest" />
     <add name="Access-Control-Request-Headers" value="Content-Type,Authorization,Accept,SOAPAction,X-Requested-With" />
            <add name="Access-Control-Allow-Credentials" value="true" />
        <add name="CORSModule" type="CORSModule" />
  6. You need to add the "WithCredentials: true" to your JavaScript Ajax call to pass the Windows credentials if you're using Windows authentication.