Skip to content Skip to sidebar Skip to footer
Home / Asp.net Web Api / Cors / Javascript / Preflight / Windows Authentication

How To Authorize Cors Preflight Request On Iis With Windows Authentication

Post a Comment
I have an API on ASP.net Core 2 (windows authentication) and a front on angular. I make a cors configuration to querying my backend from the SPA angular, but im blocked in cause o

Solution 1:

There are several ways to accomplish this, other answers can be found on this similar question --> Angular4 ASP.NET Core 1.2 Windows Authentication CORS for PUT and POST Gives 401

CORS Module

It is possible to configure IIS by using the CORS Module. As seen here: https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module And further information available here: https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module

The IIS CORS module is designed to handle the CORS preflight requests before other IIS modules handle the same request. The OPTIONS requests are always anonymous, so CORS module provides IIS servers a way to correctly respond to the preflight request even if anonymous authentification needs to be disabled server-wise.

You will need to enable the CORS Module via the Webconfig:

<?xml version="1.0"?><configuration><system.webServer><corsenabled="true"><addorigin="*"allowCredentials="true" /></cors></system.webServer></configuration>

for more granular control:

<?xml version="1.0"?><configuration><system.webServer><corsenabled="true"><addorigin="https://readonlyservice.constoso.com"allowCredentials="true"><allowMethods><addmethod="GET" /><addmethod="HEAD" /></allowMethods><allowHeaders><addheader="content-type" /><addheader="accept" /></allowHeaders></add><addorigin="https://readwriteservice.constoso.com"allowCredentials="true"><allowMethods><addmethod="GET" /><addmethod="HEAD" /><addmethod="POST" /><addmethod="PUT" /><addmethod="DELETE" /></allowMethods></add></cors></system.webServer></configuration>

Redirect OPTIONS

You can redirect all OPTIONS requests to always give an OK status. This will however subvert the entire idea of a preflight request, so use this only if it's applicable to your situation.

Install the redirect module in IIS. Add the following redirect to your Webconfig.

<rewrite><rules><rulename="CORS Preflight Anonymous Authentication"stopProcessing="true"><matchurl=".*" /><conditions><addinput="{REQUEST_METHOD}"pattern="^OPTIONS$" /></conditions><actiontype="CustomResponse"statusCode="200"statusReason="Preflight"statusDescription="Preflight" /></rule></rules></rewrite>

Middleware

Alternatively the desired result can be achieved by enabling anonymous authentication in IIS and creating a middleware in the Net Core API that checks if a person is properly authenticated.

Middleware:

publicAuthorizationMiddleware(RequestDelegate next, ILogger logger)
{
    _next = next;
    _log = logger;
}

publicasync Task Invoke(HttpContext httpContext)
{
    //Allow OPTIONS requests to be anonymousif (httpContext.Request.Method != "OPTIONS" && !httpContext.User.Identity.IsAuthenticated)
    {
        httpContext.Response.StatusCode = 401;
        await httpContext.Response.WriteAsync("Not Authenticated");
    }
    await _next(httpContext);
}

Solution 2:

Preflight request does not send authentication information. So, enable anonymous authentication as well (no need to remove windows authentication). refer to https://stackoverflow.com/a/50354772/946773

Solution 3:

I solved my problem with the IIS module Cors

You may like these posts

Post a Comment for "How To Authorize Cors Preflight Request On Iis With Windows Authentication"