CORS + Windows Auth + Web.config

I had recently run into a case where I was using a simple Windows Auth in web.config with CORS.

I was struggling with why I kept receiving 401's on OPTIONS request. I know that OPTIONS don’t expect cookies or additional headers for the preflight so I was not authenticating even when withCredentials is enabled.

I had expected IIS to atleast carry over credentials but no luck. So a fix is to enable the OPTIONS verb to anonymous users as below:

Sample web.config

  <authentication mode="Windows" />
    <!-- This will enable OPTIONS for everyone -->
    <allow verbs="OPTIONS" users="?" />