CORS 405 Method Not Allowed

My IIS 8 instance is fresh installation, it seems I needed to make some modifications to the Handler Mappings

Backup IIS Configuration

In the event that any of the sugggested changes break your existing websites it's best to make a backup of the applicationhost.config file

  1. Navigate to C:\Windows\System32\inetsrv\config
  2. Make a copy of applicationhost.config

Remove Unused Handlers

As a starting point I removed all unused Handler Mappings to reduce the problem space. You can do this by modifying the applicationhost.config directly or by using IIS Manager

  1. Open IIS Manager
  2. Either on the server node or the individual website node select the Handler Mappings feature
  3. Manually remove all mappings that you don't need.

My websites are heavily service based and just depend on static files and files with the .aspx and .svc files extensions. I also manually removed all references to .NET 2.0 throughout the configuration file.

Add OPTIONS Handler

This seems to be the fix.

  1. Open IIS Manager
  2. Either on the server node or the individual website node select the Handler Mappings feature
  3. In the lefthand column select Add Module Mapping
  4. In the Add Module Mapping dialog use the following values.
    • Request path - *
    • Module - ProtocolSupportModule
    • Executable - [Leave blank]
    • Name - [Whatever you want]
  5. Click Request Restrictions
    • In the Mapping tab, unckeck Invoke handler only if request is mapped to
    • In the Verbs tab ensure OPTIONS is selected
    • In the Access tab select Script

My resulting Handlers configuration looks like this

<handlers accessPolicy="Read, Script">
    <add name="OPTIONS" path="*" verb="OPTIONS" modules="ProtocolSupportModule" resourceType="Unspecified" />
    <add name="svc-Integrated-4.0" path="*.svc" verb="*" type="System.ServiceModel.Activation.ServiceHttpHandlerFactory, System.ServiceModel.Activation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
    <add name="SecurityCertificate" path="*.cer" verb="GET,HEAD,POST" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="File" />
    <add name="ISAPI-dll" path="*.dll" verb="*" modules="IsapiModule" resourceType="File" requireAccess="Execute" allowPathInfo="true" />
    <add name="PageHandlerFactory-Integrated-4.0" path="*.aspx" verb="GET,HEAD,POST,DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
    <add name="CGI-exe" path="*.exe" verb="*" modules="CgiModule" resourceType="File" requireAccess="Execute" allowPathInfo="true" />
    <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" responseBufferLimit="0" />
    <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
</handlers>

In my case I had to go Handler Mappings, switch to Ordered View, then move OPTIONSVerbHandler all the way to the top of the list.


For my instance:

  1. Make sure the "Access-Control-Allow-Headers" and "Access-Control-Allow-Methods" in request is less or equal than that in response.(Don't use "*")

  2. Remove this line <remove name="OPTIONSVerbHandler" /> in Web.config

Tags:

Cors

Iis 8

Recent Posts