I'm running an Http.sys web server Windows Service that requires authentication. The API endpoints are being called from a site hosted in IIS.
CORS configuration on the API service:
var corsOrigins = configuration.GetSection("AllowedCorsOrigins").Get<string[]>();
builder.Services.AddCors(o =>
{
o.AddPolicy("CorsPolicy", b =>
{
b.WithOrigins(corsOrigins)
.AllowCredentials()
.AllowAnyMethod()
.AllowAnyHeader();
});
});
Further down:
app.UseStaticFiles();
app.UseRouting();
app.UseCors("CorsPolicy");
app.UseAuthentication();
app.UseAuthorization();
HttpSys configuration:
builder.WebHost.UseHttpSys(options =>
{
options.Authentication.Schemes = AuthenticationSchemes.Negotiate;
options.Authentication.AllowAnonymous = false;
if (prefixes?.Count > 0)
{
foreach (var prefix in prefixes)
{
options.UrlPrefixes.Add(prefix);
}
}
});
The problem appears to be that the negotiation mechanism fails during the preflight request and the browser doesn't receive the expected headers, which the browser interprets as a CORS error ("No 'Access-Control-Allow-Origin' header is present on the requested resource.").
Is there a way to disable authentication on preflight requests without explicitly adding OPTIONS endpoints for all API methods?