CORS and Windows Authentication
If you want to use windows authentication with CORS then a few things need to be configured properly.
First on the server in your CORS configuration you will need to allow credentials, which means emitting the Access-Control-Allow-Credentials=true response header from both preflight and simple CORS requests. If you’re using the CORS feature of the ThinkTecture.IdentityModel security library then all you’d need to do use the AllowCookies() option (I am thinking of renaming it to AllowCookiesAndCredentials() to be more descriptive).
Then in your client code (I’m assuming jQuery here) if you wish to support integrated windows authentication you simply need to tell jQuery (and consequently the XMLHttpRequest) that it is allowed to perform the authorization handshake (via the withCredentials flag):
$.ajax({
url: url,
type: "GET",
data : {...},
...
xhrFields: {
withCredentials: true
}
});
or if you’d prefer to do basic authentication and have the username and password to pass, you can do this:
$.ajax({
url: url,
type: "GET",
data : {...},
...
username: "username",
password:"password",
xhrFields: {
withCredentials: true
}
});
HTH
brockallen 
Thanks, you save my day
This works great when using IE against an IIS server. However, neither Firefox nor Chrome will work. When the latter browsers send the HTTP OPTIONS request to get the CORS headers, IIS sends a 401 Unauthorized response to start authentification negotiation. Both Firefox and Chrome bail out at that point. Is there any way to get this to work with those browsers?
Well, 401 on OPTIONS for CORS is the wrong response. If you think about it, without CORS then how could you know you could send credentials, and thus the 401 is premature. What you need is something in IIS (like a module) to do a proper CORS response (and prevent/change the 401).