Skip to content


October 18, 2012

The most common problem encountered when trying to get CORS working in IIS is WebDAV. WebDAV is installed as both a module and a handler. It wants to process OPTIONS requests but doesn’t know what to do for CORS (especially if you’re using the CORS support from Thinktecture.IdentityModel). The fix is to remove both the module and handler in web.config.

The other common problem when using the CORS support from Thnktecture.IdentityModel is that the handler for .NET code (the ExtensionlessUrlHandler) by default only allows GET, POST, HEAD and DEBUG methods. We want it to also process OPTIONS, so this needs to be configured. Fortunately in the MVC 4 templates this is configured automatically, but if you’re doing something other than MVC 4 then you will have to configure it yourself.

Here’s what your web.config should look like to disable WebDAV and allow OPTIONS for the ExtensionlessUrlHandler:

    <modules runAllManagedModulesForAllRequests="true">
      <remove name="WebDAVModule" />
      <remove name="WebDAV" />
      <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
      <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
      <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />


15 Comments leave one →
  1. gmetzker permalink
    October 19, 2012 9:30 pm

    Thanks for the post. I was having issues with this earlier. In my scenario I was able to get this working with this config:

    In your example you have the additional handler removed for WebDAV. Can you tell me the difference from your config to the one in my screen shot?

    I appreciate the help. Thanks much.

    • October 19, 2012 9:56 pm

      Seems that the only diff if the “runAllManagedModulesForAllRequests”. This just means to run the .NET HTTP modules for all requests including static files and non-.NET handlers. I don’t know if you need this either way — depends upon what modules you need. But I think it’s unrelated to CORS, because any CORS request would map to .NET code (at least if you’re talking about the Thinktecture.IdentityModel CORS implementation).

      Are you still having problems?

  2. gmetzker permalink
    October 19, 2012 10:05 pm

    It’s working now with the config from my screen shot. Although I might try your config. At this point I’m really just trying to understand it better.

    At first I just had the WebDav Module removed. This only worked in IIS8. In IIS 7.5 something was still handing the “OPTIONS” verb and it would get no where near my custom handler or your IdentityModel Cors handler.

    To get it work in IIS 7.5 I did as follows:
    a) Removing the WebDav module.
    b) set runAllManagedModulesForAllRequests = true.
    (I did not have WebDAV handler removed as in your example above, but I would like to try that).

    • October 19, 2012 10:15 pm

      Yea, I suspect it’s the WebDAV handler — I wrote this post from testing on my Win7 test VM and I had to remove both the handler and module. The “runAllManagedModules” setting is unrelated, IMO.

  3. November 8, 2012 5:45 pm

    Just thought I would chime in. I tried setting up my web.config exactly like above, but I couldn’t get this issue resolved until I added the runAllManagedModulesForAllRequests = true like gmetzker pointed out. I’m running in IIS8 on Server 2012.

  4. December 27, 2012 10:05 am

    Good post. But it doesn’t work in my situation. I use WebApi as server-side and MVC 4 as client-side. In WebAPI app i added Thinktecture.IdentityModel and removed WebDAV module and handler in web.config. From MVC client-side i send DELETE request method from jQuery ajax. Fiddler showed that OPTION request returned 200 OK and nothing more. Browser showed jQuery error: Origin “mysite” is not allowed by Access-Control-Allow-Origin. I don’t understand in what may be a bug.
    Thank. Sorry for bad english.

    • December 27, 2012 10:35 am

      @Mike — there’s also an OPTIONS http handler — maybe this is also getting in the way?

      • Mike Summers permalink
        September 22, 2013 4:21 pm

        Hi Brock I realise this is a while since you were discussing, but I just cannot get my configuration right. I have tried all the configs above but whenever i test communication (usually using or similar) it gets refused saying origin not allowed. I have set the cors configuration to Allowall so I can get it working and worry about refining it later but to no avail.
        I am using webapi server side and then using to test communication with it. When I could not get it working with the full version of my app i created a couple of test projects with only the simple basics in place, using Thinktecture to provide CORS handling.
        I was following through the comments and just wondered if you could give any advice regarding your mention of the OPTIONS handler (since I have tried everything else mentioned) ?

        • September 22, 2013 5:10 pm

          Sorry, it’s very hard for me to tell given that there are so many environmental variables.

  5. October 10, 2013 2:08 pm

    Everything worked like a charm from your code in localhost But didn’t work in IIS8 I finally figured out the error causing the problem.


    The above config settings was overwriting the CORS from Thinktecture and I commented it. It started working.


  6. Per Erik Gransøe permalink
    January 16, 2014 1:45 pm

    I’ve tried with a minimal MVC project, with a the Thinktecture CORS library. My web.config is as specified on top of the post disabling WebDAV – and the Global.asax.cs extended with CORS registration (the sledgehammer version :)).
    But still my test project doesn’t respond with CORS headers. I’ve tried this in IIS developer context as well as IIS 8 context. Same result. I’m testing my headers with a HTTP REST posting tool (Postman).

    What might be wrong?


  1. CORS support in WebAPI, MVC and IIS with Thinktecture.IdentityModel « brockallen
  2. How do I accept CORS AJAX requests on AppHarbor?
  3. REST, WEB API And CORS | Cloud2013 Or Bust

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: