CORS + Windows Auth + Web.config

I had recently run into a case where I was using a simple Windows Auth in web.config with CORS.

I was struggling with why I kept receiving 401's on OPTIONS request. I know that OPTIONS don’t expect cookies or additional headers for the preflight so I was not authenticating even when withCredentials is enabled.

I had expected IIS to atleast carry over credentials but no luck. So a fix is to enable the OPTIONS verb to anonymous users as below:

Sample web.config

<system.web>
  ...
  <authentication mode="Windows" />
  <authorization>
    <!-- This will enable OPTIONS for everyone -->
    <allow verbs="OPTIONS" users="?" />
    ...
  </authorization>
  ...
</system.web>