ASP.NET Core with IIS - HTTP Verb Not Allowed

56
votes

We have an ASP.NET Core 2.0 web site that also presents a couple of simple Web API methods for UI enhancement purposes.

The Web API calls work as expected when running locally under IIS Express, but when we deploy to our IIS 8.5 production web server, we get the following error when making HTTP DELETE and PUT requests...

405 Method Not Allowed

After some web searching, we have found several posts suggesting the removal of the IIS WebDAV module. We have disabled this in IIS (it is our server), and we have also tried the following:

  • Disabled WebDAV
  • Enabled WebDev and set Allow verb filtering = False
  • Set the Hander Mappings to allow All Verbs in the Request Restrictions settings for: aspNetCore, WebDAV and ExtensionlessUrlHandler-Integrated-4.0

None of the above steps have resolved our problem.

Any advice/direction would be much appreciated.

10
asp.netiisasp.net-coreasp.net-core-webapi

10 Answers

7
votes

Whilst removing WebDAV may solve your issue, you may be wondering (like I was), what is WebDAV and what is it used for?

I found this page which helps explain it:

https://www.cloudwards.net/what-is-webdav/

65
votes

After hours of research and trial and error, the fix seems to be pretty simple. Add a Web.config file to your .NET Core 2.0 application:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <!-- To customize the asp.net core module uncomment and edit the following section. 
         For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->
    <system.webServer>
        <modules>
            <remove name="WebDAVModule" />
        </modules>
        <handlers>
            <remove name="aspNetCore" />
            <remove name="WebDAV" />
            <!-- I removed the following handlers too, but these
                 can probably be ignored for most installations -->
            <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
            <remove name="OPTIONSVerbHandler" />
            <remove name="TRACEVerbHandler" />

            <add name="aspNetCore" 
                 path="*" 
                 verb="*" 
                 modules="AspNetCoreModule" 
                 resourceType="Unspecified" />
        </handlers>
        <aspNetCore processPath="%LAUNCHER_PATH%" 
                    arguments="%LAUNCHER_ARGS%" 
                    stdoutLogEnabled="false"
                    stdoutLogFile=".\logs\stdout" />
    </system.webServer>
</configuration>

Hope this helps.

60
votes

This was what worked for me (netcore 2.0)

<system.webServer>
  <modules runAllManagedModulesForAllRequests="false">
    <remove name="WebDAVModule" />
  </modules>
</system.webServer>

Found here: https://www.ryadel.com/en/error-405-methods-not-allowed-asp-net-core-put-delete-requests/

6
votes

To prevent WebDav from getting enabled at all, remove the following entry from the ApplicationHost.config: 

<add name="WebDAVModule" />

The entry is located in the modules section.

Exact location of the config:
C:\Windows\System32\inetsrv\config\applicationHost.config

This worked well for me in .Net Core 2.1

5
votes

Remove the WebDAV Publishing from IIS server. Its come under the Internet Infromation service -> Common Http Features

https://ignas.me/tech/405-method-not-allowed-iis/

2
votes

In my case, I got the 405 error for .Net 5 Web API PUT and DELETE calls. I tried multiple solutions like removing WebDAV (Turn Windows features on or off -> IIS -> World Wide Web Services -> Common HTTP feature -> WebDAV Publishing) doesn't work, editing WebDAV entry in "Handler Mappings" messed up the application.

Solution

In IIS, select the application

  1. Add rules to allow HTTP verbs in Request Filtering (But this alone doesn't work).
  2. Go to "Modules", then select the "WebDAV Publishing" module and remove it.
  3. Go to "Handler Mappings", then select the "WebDAV" and remove it.
  4. in cmd run IISRESET
1
votes

Add the following lines to your web.config file. That does it.

Web.config screenshot

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
        <modules>
            <remove name="WebDAVModule" />
        </modules>
      <handlers>
      
            <remove name="WebDAV" />
            <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
            <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,PUT,DELETE,DEBUG" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" responseBufferLimit="0" />
            
            <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="dotnet" arguments=".\Ftms.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
    </system.webServer>
  </location>
</configuration>
0
votes

For me, I resolved the issue after I noticed I was trying to post to the client domain instead of the API. [facepalm]

0
votes

In my case, I resolved the issue after I add requireAccess="None" to aspNetCore handler

Like this :

<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" requireAccess="None" />
-1
votes

To prevent WebDav from getting enabled at all, remove or comment the following entry from the ApplicationHost.config:

<add name="WebDAVModule" />

The entry is located in the modules section.

Exact location of the config: C:\Windows\System32\inetsrv\config\applicationHost.config

This worked well for me in .Net Core 2.2