Eugene Agafonov, Microsoft MVP ASP.NET, RSDN Team, .NET and C# expert. Head of Educational Products Development at ABBYY
Евгений Агафонов, Microsoft MVP ASP.NET, RSDN Team, .NET и C# эксперт. Руководитель группы разработки образовательных продуктов в ABBYY

Today I met the challenging problem with one of my web apis running under IIS 8. CORS support which was implemented with nuget library Thinktecture.IdentityModel didn’t work properly.
Here you can find information how to use this library, and here is the link to configuration issues with IIS.

After spending some time with a fiddler tool I found out that the client sends the proper HTTP OPTIONS request, but the response from server lacks Access-Control-Allow-Origin and other useful http headers.

After some experiments it turned out that if I enable RAMMFAR option ( runAllManagedModulesForAllRequests=”true”) in web api web.config, the CORS delegating handler starts to work. However I don’t like turning on this option, even if it doesn’t really affect all managed modules in IIS, so I kept experimenting.

I found out that there is another handler defined in IIS, called OPTIONSVerbHandler. As soon as I removed it via application web.config file, CORS support started to work properly without need to enable RAMMFAR option.

This is system.webServer section in web.config: