How to authorize CORS preflight request on IIS with Windows Authentication

by

There are several ways to accomplish this, other answers can be found on this similar question –> Angular4 ASP.NET Core 1.2 Windows Authentication CORS for PUT and POST Gives 401

CORS Module

It is possible to configure IIS by using the CORS Module.
As seen here: https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module
And further information available here: https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module

The IIS CORS module is designed to handle the CORS preflight requests
before other IIS modules handle the same request. The OPTIONS requests
are always anonymous, so CORS module provides IIS servers a way to
correctly respond to the preflight request even if anonymous
authentification needs to be disabled server-wise.

You will need to enable the CORS Module via the Webconfig:

<?xml version="1.0"?>
<configuration>
  <system.webServer>
    <cors enabled="true">
      <add origin="*" allowCredentials="true" />
    </cors>
  </system.webServer>
</configuration>

for more granular control:

<?xml version="1.0"?>
<configuration>
  <system.webServer>
    <cors enabled="true">
      <add origin="https://readonlyservice.constoso.com" allowCredentials="true">
        <allowMethods>
            <add method="GET" />
            <add method="HEAD" />
        </allowMethods>
        <allowHeaders>
            <add header="content-type" /> 
            <add header="accept" /> 
        </allowHeaders>
      </add>
      <add origin="https://readwriteservice.constoso.com" allowCredentials="true">
        <allowMethods>
            <add method="GET" />
            <add method="HEAD" />
            <add method="POST" />
            <add method="PUT" /> 
            <add method="DELETE" />         
        </allowMethods>
      </add>
    </cors>
  </system.webServer>
</configuration>

Redirect OPTIONS

You can redirect all OPTIONS requests to always give an OK status.
This will however subvert the entire idea of a preflight request, so use this only if it’s applicable to your situation.

Install the redirect module in IIS.
Add the following redirect to your Webconfig.

<rewrite>
    <rules>
        <rule name="CORS Preflight Anonymous Authentication" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{REQUEST_METHOD}" pattern="^OPTIONS$" />
            </conditions>
            <action type="CustomResponse" statusCode="200" statusReason="Preflight" statusDescription="Preflight" />
        </rule>
    </rules>
</rewrite>

Middleware

Alternatively the desired result can be achieved by enabling anonymous authentication in IIS and creating a middleware in the Net Core API that checks if a person is properly authenticated.

Middleware:

public AuthorizationMiddleware(RequestDelegate next, ILogger logger)
{
    _next = next;
    _log = logger;
}

public async Task Invoke(HttpContext httpContext)
{
    //Allow OPTIONS requests to be anonymous
    if (httpContext.Request.Method != "OPTIONS" && !httpContext.User.Identity.IsAuthenticated)
    {
        httpContext.Response.StatusCode = 401;
        await httpContext.Response.WriteAsync("Not Authenticated");
    }
    await _next(httpContext);
}

More Related Contents:

  1. No ‘Access-Control-Allow-Origin’ header is present on the requested resource—when trying to get data from a REST API
  2. AngularJS CORS Issues
  3. Why does my JavaScript code receive a “No ‘Access-Control-Allow-Origin’ header is present on the requested resource” error, while Postman does not?
  4. XMLHttpRequest cannot load XXX No ‘Access-Control-Allow-Origin’ header
  5. Enabling CORS in Cloud Functions for Firebase
  6. jQuery XML error ‘ No ‘Access-Control-Allow-Origin’ header is present on the requested resource.’
  7. How to configure CORS in a Spring Boot + Spring Security application?
  8. Request header field Access-Control-Allow-Headers is not allowed by Access-Control-Allow-Headers
  9. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘…’ is therefore not allowed access
  10. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  11. How to enable cors nodejs with express?
  12. HTTP status code 401 even though I’m sending credentials in the request
  13. canvas.toDataURL() SecurityError
  14. CORS error on same domain?
  15. Firefox ‘Cross-Origin Request Blocked’ despite headers [closed]
  16. Understanding AJAX CORS and security considerations
  17. CORS request not working in Safari
  18. Cross Domain Resource Sharing GET: ‘refused to get unsafe header “etag”‘ from Response
  19. What’s to stop malicious code from spoofing the “Origin” header to exploit CORS?
  20. CORS – Is it a client-side thing, a server-side thing, or a transport level thing? [duplicate]
  21. Access to Image from origin ‘null’ has been blocked by CORS policy
  22. How to allow CORS in react.js?
  23. fetch() does not send headers?
  24. Cross-domain requests stopped working due to no `Access-Control-Allow-Origin` header present in the response
  25. HTTP request from Angular sent as OPTIONS instead of POST
  26. Solve Cross Origin Resource Sharing with Flask
  27. How to Detect Cross Origin (CORS) Error vs. Other Types of Errors for XMLHttpRequest() in Javascript
  28. Cross-domain connection in Socket.IO
  29. Pushing data to Google spreadsheet through JavaScript running in browser
  30. WebAPI CORS with Windows Authentication – allow Anonymous OPTIONS request

Leave a Comment