8

As far as I understand, OPTIONS request must be processed without authentication. I am hosting my web application in IIS 7.x and 8.x and it is using NTLM and Kerberos authentication (this is an intranet application).

How do I disable authentication for OPTIONS request in IIS in case of Windows authentication?

IT Hit WebDAV
  • 5,652
  • 12
  • 61
  • 98
  • Nothing like this is mentioned in chapter 9.2. Where do you draw this information from? The other stackoverflow question isn't a reference for that. – Michael-O Sep 13 '14 at 21:39
  • I removed link to that question. If you think that OPTIONS should be served only after successful authentication please provide some more explanation. From my experience it comes that applications that utilize OPTIONS request (for example web browser preflight requests) does not work if you reply with anything other than "200 OK" to OPTIONS. – IT Hit WebDAV Sep 14 '14 at 02:29
  • I have never seen a browser sending an `OPTIONS` request. The only request browsers use are `GET`, `POST` and probably `HEAD`. – Michael-O Sep 14 '14 at 10:36
  • 2
    The browser can send Option requests when using CORS ... http://stackoverflow.com/questions/15734031/why-does-the-preflight-options-request-of-an-authenticated-cors-request-work-in – KickerKeeper Nov 30 '14 at 11:17

1 Answers1

2

Go to handler mappings feature in IIS and edit Authentication handler and remove OPTIONS verb from registering for requests with OPTIONS. Hope that helps

JOAT
  • 188
  • 7
  • 2
    Pictures? I don't see an Authentication handler listed in the Handler's section. Was it the OPTIONSVerbHandler? – Daryl Oct 12 '18 at 15:46