Enabling CORS for .NET Web Api on Azure - azure

I have both my web and api projects deployed to separate Azure webapps and am struggling with a CORS issue. When deployed locally everything works fine, but not once published to Azure.
I am using two different methods to enable CORS and neither seem to be solving my issue.
Potential Fixes:
In my web.config I add a customHeader for <add name="Access-Control-Allow-Origin" value="*" />
In the Register method of WebApiConfig.cs I call enableCors as var cors = new EnableCorsAttribute("*", "*", "*"); config.EnableCors(cors);
The scenarios, referencing the above two fixes, are as follows:
With neither #1 or #2 used every server call returns a no access-control-allow-origin error (expected)
With both #1 and #2 used I receive an error that I am enabling CORS twice with the same value (expected)
If I only use #1 I don't receive a CORS error but every API method returns a 405 not allowed error
If I only use #2 every api call returns a no access-control-allow-origin error
Question: How can I globally enable CORS for my .NET Web Api project hosted in Azure?
appstart and register code:
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
GlobalConfiguration.Configure(WebApiConfig.Register);
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
}
public static void Register(HttpConfiguration config)
{
// Enable CORS
// TODO, * below is debug only
var cors = new EnableCorsAttribute("*", "*", "*");
config.EnableCors(cors);
// Web API configuration and services
// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
}

I think this is the common issue with IIS default optionshandler. You have to update your Web.Config to disable defaults handlers. This is what I use for ASP.Net vnext hosted on Azure.
<system.webServer>
<modules>
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="WebDav" />
<remove name="OPTIONSVerbHandler" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>

I found that adding the Allow headers to web.config was the simplest way to get things working for me. Note you can't use both methods, you must choose one or the other.
I believe the solution to your 405 Not Allowed error is that you also need to include a line like this in web.config:
<add name="Access-Control-Allow-Headers" value="Authorization, Origin, Content-Type "/>
If you are still getting that error, you may need to include additional values from this list:
<add name="Access-Control-Allow-Headers" value="Access-Control-Allow-Headers, Authorization, Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers" />

Related

CORS policy error despite configuring the recommended options in startup.cs

I have a .net core 5.0 web API which I am hosting on IIS. The front end is in Angular and is used for all the API requests.
Based on the documentation I have read to enable CORS, I have configured my startup.cs as below :
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseCors(options =>
options.WithOrigins(Configuration["ApplicationSettings:ClientURL"].ToString()
).AllowAnyMethod()
.AllowAnyHeader());
<other stuff>
public void ConfigureServices(IServiceCollection services){
services.AddCors();
}
and here's my appsettings.json file :
"ApplicationSettings": {
"ClientURL": "http://localhost:4200"
}
This configuration works as expected when I run the server through VS. But when I host this application in IIS, I get the error below :
Access to XMLHttpRequest at 'http://localhost:91/api/User/Login' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
According to the documents on Enable Cross-Origin Requests (CORS) in ASP.NET Core by Microsoft, this should be enough. However, I still configured the web.config on the server hosting IIS as below :
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="POST,GET,OPTIONS,PUT,DELETE" />
<add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept" />
</customHeaders>
</httpProtocol>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\WebKeyMaster.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
</system.webServer>
</location>
</configuration>
But this doesn't help my case either. Can someone please tell me if there's anything wrong with my configuration?
I suggest you could check your middleware's order to make sure the Calls the UseCors extension method and specifies the _myAllowSpecificOrigins CORS policy. The call to UseCors must be placed after UseRouting, but before UseAuthorization.
For more information, see Middleware order.

Enabling OPTIONS method on Azure Cloud Service (to enable CORS)

I am developing a public API using Azure API Management, which then calls service methods in my cloud service.
To allow other apps to use this API from a browser environment, I need to enable CORS in the cloud service. Enabling CORS involves handling OPTIONS requests which are sent by the browser as a pre-flight to check if the correct headers are set.
To make sure the OPTIONS request reaches my application I have had to make a few changes in my web.config:
<system.webServer>
<handlers>
<remove name="SimpleHandlerFactory-Integrated-4.0" />
<remove name="SimpleHandlerFactory-Integrated" />
<remove name="SimpleHandlerFactory-ISAPI-4.0_64bit" />
<remove name="SimpleHandlerFactory-ISAPI-4.0_32bit" />
<remove name="SimpleHandlerFactory-ISAPI-2.0-64" />
<remove name="SimpleHandlerFactory-ISAPI-2.0" />
<remove name="OPTIONSVerbHandler" />
<add name="OPTIONSVerbHandler" path="*" verb="OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="None" preCondition="bitness32" />
<add name="SimpleHandlerFactory-ISAPI-2.0" path="*.ashx" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv2.0,bitness32" responseBufferLimit="0" />
<add name="SimpleHandlerFactory-ISAPI-2.0-64" path="*.ashx" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv2.0,bitness64" responseBufferLimit="0" />
<add name="SimpleHandlerFactory-ISAPI-4.0_32bit" path="*.ashx" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="SimpleHandlerFactory-ISAPI-4.0_64bit" path="*.ashx" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="SimpleHandlerFactory-Integrated" path="*.ashx" verb="*" type="System.Web.UI.SimpleHandlerFactory" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv2.0" />
<add name="SimpleHandlerFactory-Integrated-4.0" path="*.ashx" verb="*" type="System.Web.UI.SimpleHandlerFactory" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
. . .
</system.webServer>
This ensures that the OPTIONS calls reach my .ashx and .svc code in which I can then set the correct headers.
This all works fine locally when I call the services from another domain, for example using js fiddle.
However, when I upload my application to Azure, it no longer works. Any OPTIONS requests return a 404 immediately.
It seems that the handler definitions used to forward the OPTIONS requests to my applications do not work on Azure.
My question is: what do I need to configure to make sure OPTIONS requests reach my application and can be handled there on Azure?
In the end I ended up removing the handlers as in my question, but adding two custom handlers:
<remove name="SimpleHandlerFactory-Integrated-4.0" />
<remove name="SimpleHandlerFactory-Integrated" />
<remove name="SimpleHandlerFactory-ISAPI-4.0_64bit" />
<remove name="SimpleHandlerFactory-ISAPI-4.0_32bit" />
<remove name="SimpleHandlerFactory-ISAPI-2.0-64" />
<remove name="SimpleHandlerFactory-ISAPI-2.0" />
<remove name="OPTIONSVerbHandler" />
<!-- Added the following handlers -->
<add name="AshxHandler" path="*.ashx" verb="*"
type="System.Web.UI.SimpleHandlerFactory" resourceType="Unspecified"
requireAccess="Script"/>
<add name="SvcHandler" path="*.svc" verb="*"
type="System.Web.UI.SimpleHandlerFactory" resourceType="Unspecified"
requireAccess="Script"/>
Another part of the answer was adding the OPTIONS operations in API Management.
Using the CORS policy of API Management as suggested by Miao Jiang actually did not work and in fact breaks CORS in my situation when I include it now.
I'm sure it will work for other situations though.
EDIT: I ended up using policies anyway, and it now works. No OPTIONS operations need to be added. I've used the following policy on API level:
<policies>
<inbound>
<base />
<cors>
<allowed-origins>
<origin>*</origin>
</allowed-origins>
<allowed-methods>
<method>GET</method>
<method>POST</method>
<method>OPTIONS</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
</cors>
</inbound>
<outbound>
<base />
</outbound>
</policies>
I had a similar issue with OPTIONS request on an Web API running on Azure. There was a simple fix available:
In the Azure Portal, click on your App Service to open the management interface.
Scroll down the list of management options until you reach the 'API' section, and click on 'CORS'
Either enter the web address of the allowed origin, or enter '*' to allow all, and click Save.

Config File Error - Cannot access website via localhost

I am trying to access my website thru the following address:
http://localhost:8090/passcode
However I receive this error:
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
Config Error
This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
Config File \\?\E:\WK\Useful info\Password Portal\PassCore\web.config
Config Source:
36:
37: <handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
Can anyone explain to me what is wrong with that line of code, or is the error due to something else.
Could be as simple as making sure you've added the right roles and features to your server. I got this and added the .NET 4.5 features etc and it took care of this message. If you have done this and the error persists, you may need to make sure that your web.config can override these settings as the default I believe is not to allow a site to override these settings.

serving static JSON files on azure

I've made a simple Sencha Touch web application and deployed it to Azure to try Azure out. One of the first things Sencha Touch does is try to download an app.json file. On IIS I'd normally enable json in the mime types section, but I have not been able how to figure this out how to do this using the Azure Web Console. Consequently, a 404 error is returned when the app performs an XMLHttpRequest to get the file.
I've seen some post on SO about adding .json to the web.config and I tried the following, to no avail:
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<staticContent>
<remove fileExtension=".json"/>
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
The web app is here.
http://nsgapp.azurewebsites.net
Any input on how to enable an Azure shared-instance to serve .json files is greatly appreciated.
Nevermind, it was a silly error. I have two websites... one that serves the sencha web app and an ASP.NET MVC WebAPI site for the webservices. I was enabling json on the latter, when I should have been enabling it on the former because app.json is in served from the actual client application. So, the correct way to enable azure to download static json files is to make sure you have this:
<system.webServer>
<staticContent>
<remove fileExtension=".json"/>
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>
</system.webServer>
in the web.config.

IIS 7.5 + enable PUT and DELETE for RESTFul service, extensionless

i am trying to understand how IIS 7.5 handles POST and PUT request.
I am writing a RESTful service using OpenRasta framework. The POST operation works without any problem, but the PUT operation for the same URL does not. It returns error like the following
Detailed Error Information
Module: IIS Web Core
Notification: MapRequestHandler
Handler: StaticFile
Error Code: 0x80070002
the url is like this following "http://localhost/MyService/Resource.Something.manifest"
Same setup works fine in visual studio development IIS.
Solution
Basically the default ExtensionlessUrlHandler does not accept PUT and DELETE verb. Just need to add them.
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
To get PUT and DELETE to be accepted by IIS 7.5 for a PHP 5.4 fast-CGI driven REST API I had to disable the WebDAV-module. Otherwise the WebDAV module intervenes the HTTP requests using PUT or DELETE. To get this working was however a bit confusing and I might have missed some steps or done it in another order.
These lines are placed as children of the <system.webServer>-element in web.config in the application root.
<modules>
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="WebDAV" />
</handlers>
Hopes this might spare some frustration. It seems like the default setting for the server is to accept any HTTP verb not listed - see settings under Request filtering -> HTTP Verbs -> Edit feature Settings. One may consider to explicitly add the VERBS that are to be allowed. The verbs allowed may be specified appending this snippet, also as a child of <system.webServer>.
<security>
<requestFiltering>
<verbs allowUnlisted="false">
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
<add verb="DELETE" allowed="true" />
<add verb="PUT" allowed="true" />
</verbs>
</requestFiltering>
</security>
On a client machine one can uninstall the WebDAV module from here:
Control Panel -> Uninstall Program -> Turn Windows features on or off -> IIS -> World Wide Web Services -> Common HTTP feautre -> WebDAV Publishing
The last measure to get it working was by editing applicationhost.config found in C:\Windows\System32\inetsrv\config. Within <system.webServer> -> <handlers> you will see a php entry that has just verb="GET,HEAD,POST - amend it to add the verbs you require, e.g.:
<add name="PHP54_via_FastCGI" path="*.php" verb="GET,HEAD,PUT,DELETE,POST"/>
|
|
|
append verbs here ----------------------------------------------|
1.Go to IIS Manager.
2.Click on your app.
3.Go to "Handler Mappings".
4.In the feature list, double click on "WebDAV".
5.Click on "Request Restrictions".
6.In the tab "Verbs" select "All verbs" .
7.Press OK.
See http://learn.iis.net/page.aspx/901/iis-express-faq/ that is linked from the OR wiki.
From the link (not block-quoted for readability):
A: You can modify the IIS Express applicationHost.config in the %userprofile%\documents\IISExpress\config folder. For example to enable PUT and DELETE for extensionless Urls scroll down to the bottom of the IIS Express applicationHost.config file and look for a handler entry that starts with:
<add name="ExtensionlessUrl-Integrated-4.0" …
In the verb attribute add PUT and DELETE so the verb attribute looks like: verb="GET,HEAD,POST,DEBUG,PUT,DELETE".
My scenario was a web application in a web site on IIS 7.5. The web site had to continue to enable WebDAV, but the web application needed to turn it off in order to support PUT and DELETE in its REST API.
To get that working, the web application's Web.config needed this:
<modules runAllManagedModulesForAllRequests="true" runManagedModulesForWebDavRequests="true" >
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="WebDAV" />
</handlers>
The important difference from the other answers here is the need for runManagedModulesForWebDavRequests="true"
For me this does the trick in the web.config.
<system.webserver>
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" modules="IsapiModule" scriptProcessor="c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
<system.webserver/>
<system.web>
<authentication mode="Windows" />
<identity impersonate="true"/>
<system.web/>
I used following configuration:
IIS 7.5
Windows Server 2008 R2
Custom Application Pool, .NET 4.0, Integrated
Windows Authentication = true
Anonymous Authentication = false
Hope it helps. ;-)
URLScan tool users
If other answers still don't work and you get 404 error: these verbs may be explicitly rejected by the URLScan tool, if you have it installed.
You can configure [AllowVerbs] and [DenyVerbs] sections of the URLScan.ini file to meet your needs.
Beware of the security risks of enabling these verbs.
What worked for me was uninstalling WebDav completely.
Going into the handler mappings and setting WebDAV to handle all verbs is the only thing that worked for me, despite the fact that PUT and DELETE were already listed as handled verbs. The working web.config I have is:
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
<remove name="WebDAV" />
<add name="WebDAV" path="*" verb="*" modules="WebDAVModule" resourceType="Unspecified" requireAccess="None" />
</handlers>
</system.webServer>
in the web.config
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
you can also use the IIS management UI and define this globally, or default web server
I tried in IIS 8.
**uninstall WebDav Publishing
Steps to uninstall
-> Control Panel -> Go to Programs and features -> Turn windows
featues on or off-> Select Internet Information Services->World Wide
Web Services->Common HTTP Featues->"Remove" WebDAV Publishing by unchecking WebDAV option**
Reason for 500 error !
Hi all,
I want to post my own research too, I hope it would help future enthusiasts.
As suggested in answers, I can't uninstall WebDav so I have added the line below in web config (from other answers)
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
but I got a 500 error, when I have enabled debug mode found this
Cannot add duplicate collection entry of type 'add' with unique key attribute 'name' set to 'ExtensionlessUrlHandler-Integrated-4.0'
Answer
Its because there was already an ExtensionlessUrlHandler in the handler mappings section, do the following to resolve the issue.
Method 1
1) Go to Your IIS Manager and select your app
2) Go to Handler Mappings feature
3) Find ExtensionlessUrlHandler-Integrated-4.0 and delete it.
4) Add ExtensionlessUrlHandler in your webconfig (as mentioned in above answers)
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
Method 2
1) Remove ExtensionlessUrl handler from your web config
2) Click on your app in IIS Server, go to HandlerMappings
3) Find ExtensionlessUrlHandler-Integrated-4.0 (only this name, ignore others)
4) right click on it and choose Edit
edit handler
5) click on 'Request Restrictions' and select Verbs tab & choose All Verbs
this will enable extensionsless handler to allow all verbs.
I will go with method 1, as we can have control in web.config. But make sure you
check the deployment server for duplicate handler definitions.
My web.config with asp.net core 1.0
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<modules>
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="WebDAV" />
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified"/>
</handlers>
<aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="false"/>
</system.webServer>
</configuration>
In windows server 2012.
Open applicationHost.config file in notepad with Administrator rights
applicationHost.config file is found in C:\Windows\System32\inetsrv\config
Locate the section
<verbs allowUnlisted="false" applyToWebDAV="true">
<add verb="GET" allowed="true" />
<add verb="HEAD" allowed="true" />
<add verb="POST" allowed="true" />
<add verb="DELETE" allowed="false" />
<add verb="TRACE" allowed="false" />
<add verb="PUT" allowed="false" />
<add verb="OPTIONS" allowed="false" />
</verbs>
Notice DELETE and PUT HTTP Verbs are set to false.
Change them to true.
It should now read as below
<verbs allowUnlisted="false" applyToWebDAV="true">
<add verb="GET" allowed="true" />
<add verb="HEAD" allowed="true" />
<add verb="POST" allowed="true" />
<add verb="DELETE" allowed="true" />
<add verb="TRACE" allowed="false" />
<add verb="PUT" allowed="true" />
<add verb="OPTIONS" allowed="false" />
</verbs>
Save the file. You have enabled HttpPut and HttpDelete requests on your web server
The main solution is to remove webdavmodule from the specific website'd module's section.
So you can do it from both IIS and in webconfig.
I was dealing with the same problem. The solution for me was to turn off the Firewall mode of the Web Application in Plesk Panel.

Resources