Avoiding a 401 with hosted woff, woff2, ttf files in IIS

I recently ran into an issue where we were hosting css, fonts and image files on a single site so that other sites on the intranet could access and use those shared resources. We had already enabled CORS in the web.config using:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Access-Control-Allow-Origin" value="*" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Plus we reset the MIME types in the web.config using:

<staticContent>
  <remove fileExtension=".woff" />
  <mimeMap fileExtension=".woff" mimeType="application/font-woff" />
  <remove fileExtension=".woff2" />
  <mimeMap fileExtension=".woff2" mimeType="application/font-woff2" />
  <remove fileExtension=".ttf" />
  <mimeMap fileExtension=".ttf" mimeType="application/font-ttf" />
</staticContent>

The other intranet sites started to use the css, js, image and font files and everything looked fine in IE but then we looked at the sites using Chrome and Firefox and ran into 401 errors for the font files.  The intranet site and the hosting site both are running on IIS and have Windows Authentication turned on and one way to fix it is to disable Windows Authentication and turn on Anonymous Authentication but that was not an option for us.  We looked at the URL Rewrite module, updating the web.config to reset the MIME types and still no dice.  The problem is stated here – as per https://github.com/spenibus/cors-everywhere-firefox-addon/issues/1

Both Firefox and Chrome do not send the “Authorize: Basic xxx” header that carries the credentials when fetching a font from another domain with a css font-face rule. So even with the proper CORS headers, the request will still fail with an error 401. In fact, when setting the style directly in the html document, I am never prompted for credentials to access the font file.

After some messing around, I noticed that when I clicked on the folders I needed shared in the IIS web site, the full set of IIS options were available including Authentication.  Hmmm could I set the authentication on the folder level to Anonymous while leaving the site to use Windows Auth?  YES!  In the same way you set the authentication settings for the web site, you can do the same for the folders within the website that are exposed out as part of the site.  Once I set the folders to Anonymous, the 401 problems went away.  Hope this helps anyone else runs into this!

Share
2018-05-04 by IIS 1

You may also like...

1 Response

  1. Denice Norales says:
    2020-05-31 at 11:50 AM

    It’s hard to come by knowledgeable people for this topic, but you sound like you know what you’re talking about! Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Mike Lee
Father, Husband, & Servant Leader currently serving as an Engineering Manager & Technical Lead with a passion for making my team effective, our work valuable, while helping everyone learn and grow. Warning, I'm also an avid Mets fan.