I have had luck with the CORS IIS add-in which you can download from Microsoft. It supports multiple domains, it allows different authentication configurations, and it allows you to only offer a subset of APIs to different domains if you choose to to get fancy.
You just need to add in a section like this in your web.config.
<system.webServer>
<cors enabled="true" failUnlistedOrigins="true">
<add origin="http://server1.com"
allowCredentials="true"
allowed="true"
maxAge="120">
</add>
<add origin="http://server2.com"
allowed="true"
allowCredentials="true"
maxAge="120">
</add>
</cors>
</system.webServer>
If you want to dive into the options look here.
One thing to note that threw me off at first was that this conflicts with other web.config tweaks like manually adding the Access-Control-Origin
header yourself, so only do one or the other; not both.
The other thing to note is that even if you have the server setup perfectly, you may need client side tweaks to actually consume it. For example, here are the Javascript fetch method options that needed to be used to call methods against the CORS server with authentication.
fetch(url, {
method: 'GET', // *GET, POST, PUT, DELETE, etc.
mode: 'cors', // no-cors, *cors, same-origin
cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
credentials: 'include', // include, *same-origin, omit
})
Good luck.