I had recently run into a case where I was using a simple Windows Auth in
web.config with CORS.
I was struggling with why I kept receiving
OPTIONS request. I know that
OPTIONS don’t expect cookies or additional headers for the preflight so I was not authenticating even when
withCredentials is enabled.
I had expected IIS to atleast carry over credentials but no luck. So a fix is to enable the
OPTIONS verb to anonymous users as below:
<system.web> ... <authentication mode="Windows" /> <authorization> <!-- This will enable OPTIONS for everyone --> <allow verbs="OPTIONS" users="?" /> ... </authorization> ... </system.web>