ASP.NET Web API – PUT & DELETE Verbs Not Allowed – IIS 8

I recently upgraded from Visual Studio 2010 to the Visual Studio 2012 RC. The installer also installs IIS 8 Express which Visual Studio now uses as the default web server.

IIS 8 is blocking my WEB API requests that use PUT AND DELETE verbs. IIS returns a 405 error, The requested resource does not support http method 'PUT'.

I know people have issues with this in the past and there are several messages about it on Stack Overflow. With IIS 7 Express the solution was to uninstall WebDav. Unfortunately I don’t see any way to do that with IIS 8.

I’ve tried editing out the WebDav sections from applicationhost.config but that hasn’t helped. For example I removed <add name="WebDAVModule" image="%IIS_BIN%webdav.dll" /> from the config file.

I’ve spent far too long on this. There must be a simple way to enable PUT and DELETE?

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Okay. I finally got to the bottom of this. You need to jump through some hoops to get the PUT and DELETE verbs working correctly with IIS8. In fact if you install the release candidate of VS 2012 and create a new WEB API project you’ll find that the sample PUT and DELETE methods return 404 errors out of the box.

To use the PUT and DELETE verbs with the Web API you need to edit %userprofile%documentsiisexpressconfigapplicationhost.config and add the verbs to the ExtensionlessUrl handler as follows:

Change this line:

<add name="ExtensionlessUrl-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />

to:

<add name="ExtensionlessUrl-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />

In addition to the above you should ensure WebDAV is not interfering with your requests. This can be done by commenting out the following lines from applicationhost.config.

<add name="WebDAVModule" image="%IIS_BIN%webdav.dll" />
<add name="WebDAVModule" /> 
<add name="WebDAV" path="*" verb="PROPFIND,PROPPATCH,MKCOL,PUT,COPY,DELETE,MOVE,LOCK,UNLOCK" modules="WebDAVModule" resourceType="Unspecified" requireAccess="None" />

Also be aware that the default Web API convention is that your method name should be the same as the invoked HTTP verb. For example if you’re sending an HTTP delete request your method, by default, should be named Delete.

Method 2

Change Your Web.Config file as below. It will act like charm.

In node <system.webServer> add below portion of code

<modules runAllManagedModulesForAllRequests="true">
  <remove name="WebDAVModule"/>
</modules>

After adding, your Web.Config will look like below

<system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
    <modules runAllManagedModulesForAllRequests="true">
        <remove name="WebDAVModule"/>
    </modules>
    <httpProtocol>
    <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*" />
        <add name="Access-Control-Allow-Headers" value="Content-Type" />
        <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
    </customHeaders>
    </httpProtocol>
    <handlers>
      <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
      <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%Microsoft.NETFrameworkv4.0.30319aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
      <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%Microsoft.NETFramework64v4.0.30319aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
</system.webServer>

Method 3

Remove the WebDAV works perfectly for my case:

<modules>
  <remove name="WebDAVModule"/>
</modules>
<handlers>
  <remove name="WebDAV" />
  <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
  <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" 
       type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>

it always better to solve the problem through the web.config instead of going to fix it through the iis or machine.config to grantee it wouldn’t happen if the app hosted at another machine

Method 4

Update your web.config

  <system.webServer>
    <modules>
      <remove name="WebDAVModule"/>
    </modules>
    <handlers>
      <remove name="WebDAV" />
      <remove name="ExtensionlessUrl-Integrated-4.0" />
      <add name="ExtensionlessUrl-Integrated-4.0"
           path="*."
           verb="GET,HEAD,POST,DEBUG,DELETE,PUT"
           type="System.Web.Handlers.TransferRequestHandler"
           preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
  </system.webServer>

http://odetocode.com/blogs/scott/archive/2012/08/07/configuration-tips-for-asp-net-mvc-4-on-a-windows.aspx

Removes the need to modify your host configs.

Method 5

In Asp.Net Web API – webconfig. This works in all browser.

Add the following code inside the System.web tag

<webServices>
  <protocols>
    <add name="HttpGet"/>
    <add name="HttpPost"/>
  </protocols>
</webServices>

Replace your system.webserver tag with this below code

<httpProtocol>
  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE" />
    <add name="Access-Control-Allow-Headers" value="Content-Type" />
  </customHeaders>
</httpProtocol>
<modules runAllManagedModulesForAllRequests="false">
  <remove name="WebDAVModule" />
</modules>

<validation validateIntegratedModeConfiguration="false" />
<handlers>
  <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
  <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
  <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
  <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%Microsoft.NETFrameworkv4.0.30319aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
  <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%Microsoft.NETFramework64v4.0.30319aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />

  <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />

</handlers>

Method 6

this worked for me on iis8 together with some of the other answers. My error was a 404.6 specifically

<system.webServer>
  <security>
  <requestFiltering>
    <verbs applyToWebDAV="false">
       <add verb="DELETE" allowed="true" />
    </verbs>
  </requestFiltering>
  </security>
</system.webServer>

Method 7

Just a quick update for anyone else who might run into this issue. As of today, changing the %userprofile%documentsiisexpressconfigapplicationhost.config does NOT work any longer (this was working fine until now, not sure if this is due to a Windows update). After hours of frustration, I changed the web.config to add these handlers to system.webserver to get it to work:

<handlers>
        <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
        <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
        <remove name="ExtensionlessUrlHandler-Integrated-4.0" />

        <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%Microsoft.NETFrameworkv4.0.30319aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
        <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%Microsoft.NETFramework64v4.0.30319aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
        <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>

Method 8

Enable CORS (nice and neat)

1.Add CORS nuget package

Install-Package microsoft.aspnet.webapi.cors

2.in the WebApiConfig.cs file to Register method add bellow code :

config.EnableCors();

ex:
using System.Web.Http;

namespace test
{
public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        // Web API configuration and services


        config.EnableCors(); //add this**************************


        // Web API routes
        config.MapHttpAttributeRoutes();

        config.Routes.MapHttpRoute(
            name: "DefaultApi",
            routeTemplate: "api/{controller}/{id}",
            defaults: new { id = RouteParameter.Optional }
        );           
    }
}
}

3.Add bellow code into namespace of the controller include get,post,delete,put or any http method

[EnableCors(origins: "The address from which the request comes", headers: "*", methods: "*")]

ex:

using System.Web.Http.Cors;//add this******************************
namespace Test.Controllers
{
[EnableCors(origins: "http://localhost:53681/HTML/Restaurant.html", headers: "*", methods: "*")]
public class RestaurantController : ApiController
{
    protected TestBusinessLayer DevTestBLL = new TestBusinessLayer();

    public List<Restaurant> GET()
    {
        return DevTestBLL.GetRestaurant();
    }

    public List<Restaurant> DELETE(int id)
    {
        return DevTestBLL.DeleteRestaurant(id);
    }       
}
}

reference :http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api

Method 9

For PHP, it was simply:

  1. Open IIS
  2. Go to Handler Mappings
  3. click edit on php5.6.x or php7.0.x
  4. click “request restrictions”
  5. under the verbs tab, select “one of the following verbs” and add “GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS”

I imagine this will work with other handlers too.

Method 10

After nothing worked, I was able to solve this by below steps:

• Did not select ‘WEB DAV PUBLISHING’ IIS settings, while installing IIS.
• INETMGR – Default Website – Request Filtering – HTTP Verbs – PUT as True

Method 11

After endless searching and trying the already supplied answers (adding the PUT,DELETE verbs and remove WEBdav) it just didn’t work.

I went to IIS logging settings: > View Log Files. In my case W3SVC4 was the folder with the latest date, opened the folder, looked up the latest log file and saw this entry:
GET /Rejected-By-UrlScan ~/MYDOMAIN/API/ApiName/UpdateMETHOD

The Update method was listed with verb GET, weird right? So I Googled for Rejected-By-UrlScan and found this link: UrlScan Broke My Blog.

I went to here: %windir%system32inetsrvurlscanUrlScan.ini

Basically, the UrlScan blocked PUT and DELETE verbs.
I opened this INI file, added the PUT and DELETE to the AllowVerbs and removed them from the DenyVerbs listings.
I saved the INI file and it worked! So for me these steps were necessary next to the ExtensionlessUrlHandler hints.

Windows Webserver 2008 R2 (64 bit), IIS 7.5.
I’m using this in combination with DotNetNuke (DNN) WebAPI. ASP.Net 4.0
My update method:

[HttpPut]
[DnnAuthorize(StaticRoles = "MyRoleNames")]
public HttpResponseMessage UpdateMETHOD(DTO.MyObject myData)

Method 12

I have faced the same issue with you, then solved it,
Here are solutions, I wish it maybe can help
First

In the IIS modules Configuration, loop up the WebDAVModule, if your web server has it, then remove it

Second

In the IIS handler mappings configuration, you can see the list of enabling handler, to choose the PHP item, edit it, on the edit page, click request restrictions button, then select the verbs tab in the modal, in the specify the verbs to be handle label, check the all verbs radio, then click ok, you also maybe see a warning, it shows us that use double quotation marks to PHP-CGI execution, then do it

if done it, then restart IIS server, it will be ok

enter image description here

Method 13

Besides all above solutions, check if you have the “id” or any custom defined parameter in the DELETE method is matching the route config.

public void Delete(int id)
{
 //some code here
}

If you hit with repeated 405 errors better reset the method signature to default as above and try.

The route config by default will look for id in the URL. So the parameter name id is important here unless you change the route config under App_Start folder.

You may change the data type of the id though.

For example the below method should work just fine:

public void Delete(string id)
{
 //some code here
}

Note: Also ensure that you pass the data over the url not the data method that will carry the payload as body content.

DELETE http://{url}/{action}/{id}

Example:

DELETE http://localhost/item/1

Hope it helps.

Method 14

Here is how you allow extra HTTP Verbs using the IIS Manager GUI.

  1. In IIS Manager, select the site you wish to allow PUT or DELETE for.
  2. Click the “Request Filtering” option. Click the “HTTP Verbs” tab.
  3. Click the “Allow Verb…” link in the sidebar.
  4. In the box that appears type “DELETE”, click OK.
  5. Click the “Allow Verb…” link in the sidebar again.
  6. In the box that appears type “PUT”, click OK.

Method 15

I am using an ashx file in an MVC application and none of the above answers worked for me. IIS 10.

Here’s what did work. Instead of changing “ExtensionlessUrl-Integrated-4.0” in IIS or web.config I changed “SimpleHandlerFactory-Integrated-4.0” for “*.ashx” files:

<add name="SimpleHandlerFactory-Integrated-4.0" path="*.ashx" 
verb="GET,HEAD,POST,DEBUG,PUT,DELETE" 
type="System.Web.UI.SimpleHandlerFactory" 
resourceType="Unspecified" requireAccess="Script" 
preCondition="integratedMode,runtimeVersionv4.0" />

Method 16

I am not sure if you have edited right configuration file. Try following steps

  1. open %userprofile%ducumentsiisexpressconfigapplicationhost.config
  2. By default bellow given entries are commented in the applicationhost.config file. uncomment these entries.
<add name="WebDAVModule" image="%IIS_BIN%webdav.dll" />


<add name="WebDAVModule" />
<add name="WebDAV" path="*"
 verb="PROPFIND,PROPPATCH,MKCOL,PUT,COPY,DELETE,MOVE,LOCK,UNLOCK"
 modules="WebDAVModule" resourceType="Unspecified" requireAccess="None"
 />

Method 17

The another reason can be the following:

I changed my Url for Web Api method according to this answer:

Url.Action("MyAction", "MyApiCtrl", new { httproute = "" })

But this method creates link like:

/api/MyApiCtrl?action=MyAction

This works correctly with GET and POST requests but not with PUT or DELETE.

So I just replaced it with:

/api/MyApiCtrl

and it fixed the problem.

Method 18

In IIS 8.5/ Windows 2012R2, Nothing mentioned here worked for me.
I don’t know what is meant by Removing WebDAV but that didn’t solve the issue for me.

What helped me is the below steps;

  1. I went to IIS manager.
  2. In the left panel selected the site.
  3. In the left working area, selected the WebDAV, Opened it double clicking.
  4. In the right most panel, disabled it.

Now everything is working.

Method 19

I added requireAccess="None" to web.config like this

    <configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
                <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
                <remove name="WebDAV" />
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" requireAccess="None"/>
                <add name="WebDAV" path="*" verb="PROPFIND,PROPPATCH,MKCOL,PUT,DELETE,COPY,MOVE,LOCK,UNLOCK" modules="WebDAVModule" resourceType="Unspecified" requireAccess="None" />
                <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,DELTE" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" responseBufferLimit="0" />
      </handlers>
      <aspNetCore processPath=".Informing.Gateway.Api.exe" stdoutLogEnabled="false" stdoutLogFile=".logsstdout" hostingModel="InProcess" />
    </system.webServer>
  </location>
</configuration>

And It worked. That’s it

Method 20

Trial an error is not the correct way to fix this problem. What needs to be done is:

  • To identify the source that blocks your PUT/DELETE requests
  • then you can remove it, disable it or even better configure it:

1- In order to know the source , you have to configure the Failed Request Tracing in IIS.
ASP.NET Web API - PUT & DELETE Verbs Not Allowed - IIS 8
2- You have “Add” what Errors to log
ASP.NET Web API - PUT & DELETE Verbs Not Allowed - IIS 8
ASP.NET Web API - PUT & DELETE Verbs Not Allowed - IIS 8
Make sure you use short life span for this tracing entry to avoid overwhelming your system with log files. IIS will generate a separate xml file for each call.
3- Make the erroneous request using Postman or Swagger to generate a tracing error entry.
4- From the previous screen, you can select “View Trace Logs” to take you to the generated log files.
5- Open the erroneous log file using internet explorer. And accept any messages.
ASP.NET Web API - PUT & DELETE Verbs Not Allowed - IIS 8
6- Notice the source that blocks your request.
ASP.NET Web API - PUT & DELETE Verbs Not Allowed - IIS 8
7- disable it either in Modules or Mapping Handler from IIS interface or in your web.config as demonstrated by other posters.

Method 21

You can convert your Delete method as POST as;

 [HttpPost]
 public void Delete(YourDomainModel itemToDelete)
 {
 }


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x