2

I have a problem where a request with the OPTIONS verb fails with HTTP response code 404. After inspecting the logs, the issue came down to UrlScan 3.1, which blocks this verb by default. Removing the UrlScan from ISAPI fileters in IIS fixes the problem, however the UrlScan needs to be on the system.

As per UrlScan documentation (https://support.microsoft.com/en-us/kb/326444), I've added the OPTIONS verb to the [AllowVerbs] section of the UrlScan.ini file, checked that the UseAllowVerbs is set to 1 and restarted the IIS (also tried rebooting the server). However, this didn't fix this issue. I've tried removing all of the verbs from the allowed list just to see if that would have any effect, but nothing changed.

So, the question is why would UrlScan not take the new configuration?

Thank you!

Denis Stepanenko
  • 510
  • 6
  • 14

2 Answers2

0

I hope you might have found a solution. I went through the same problem today and what I did was checking url scan logs to see that 'Rejected disallowed+header request+headers transfer-encoding'. As a solution to this, added ; before transfer-encoding in [DenyHeaders] so that it will be commented. You might also be facing some other violation so therefore I suggest you to have a look on logs.

It's important you do a IISReset after changes rather than just a restart.

Uthpala Pathirana
  • 146
  • 3
  • 18
0

Spending a whole week, after all the following setting worked ! and finally saved. Removing the UrlScan from ISAPI fileters in IIS fixes the problem, however the UrlScan needs to be on the system.

Faisal
  • 1