ASP.NET Web API - PUT & DELETE Verbs Not Allowed - IIS 8

Question

I recently upgraded from Visual Studio 2010 to the Visual Studio 2012 RC. The installer also installs IIS 8 Express which Visual Studio now uses as the default web server.

IIS 8 is blocking my WEB API requests that use PUT AND DELETE verbs. IIS returns a 405 error, The requested resource does not support http method 'PUT'.

I know people have issues with this in the past and there are several messages about it on Stack Overflow. With IIS 7 Express the solution was to uninstall WebDav. Unfortunately I don't see any way to do that with IIS 8.

I've tried editing out the WebDav sections from applicationhost.config but that hasn't helped. For example I removed <add name="WebDAVModule" image="%IIS_BIN%\webdav.dll" /> from the config file.

I've spent far too long on this. There must be a simple way to enable PUT and DELETE?

This still broken in the RTM version. Just wasted 3 hours on this... All that was needed was to add the extra verbs to `ExtensionlessUrl-Integrated-4.0`. — leppie, Nov 13 '12 at 08:22
I don't think this is broken but is by design. I think changing the default behavior would interfere with WebDAV and break backwards compatibility. This also didn't work with IIS7 when WebDAV was installed. — Mark, Nov 17 '12 at 07:58
I also just wasted 3 hours on this... 6 years after this post. — Brian Jenkins, Jan 19 '19 at 21:32

Mark · Accepted Answer · 2012-06-19T06:49:52.770

168

Okay. I finally got to the bottom of this. You need to jump through some hoops to get the PUT and DELETE verbs working correctly with IIS8. In fact if you install the release candidate of VS 2012 and create a new WEB API project you'll find that the sample PUT and DELETE methods return 404 errors out of the box.

To use the PUT and DELETE verbs with the Web API you need to edit %userprofile%\documents\iisexpress\config\applicationhost.config and add the verbs to the ExtensionlessUrl handler as follows:

Change this line:

<add name="ExtensionlessUrl-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />

to:

<add name="ExtensionlessUrl-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />

In addition to the above you should ensure WebDAV is not interfering with your requests. This can be done by commenting out the following lines from applicationhost.config.

<add name="WebDAVModule" image="%IIS_BIN%\webdav.dll" />
<add name="WebDAVModule" /> 
<add name="WebDAV" path="*" verb="PROPFIND,PROPPATCH,MKCOL,PUT,COPY,DELETE,MOVE,LOCK,UNLOCK" modules="WebDAVModule" resourceType="Unspecified" requireAccess="None" />

Also be aware that the default Web API convention is that your method name should be the same as the invoked HTTP verb. For example if you're sending an HTTP delete request your method, by default, should be named Delete.

edited Jun 19 '12 at 06:49

answered Jun 06 '12 at 02:07

Mark

19,576
12
48
65

9

For similar problems with OPTIONS verb on IIS8 (where something else is intercepting before your handlers) try in your web.config. For that matter, I would advise using the "remove" technique in your local web.config over messing with applicationhost.config when possible as a general rule – Jason Mar 28 '13 at 02:28
7

Instead of removing WebDAV at server level which may have knock-on effects it is better to remove it from your project as shown here: http://stackoverflow.com/a/14465655/428280 – Twisted Jul 05 '13 at 12:01
And then what? May be even it will work locally but won't work on Azure – Toolkit Aug 13 '14 at 06:18
5

An answer that instructs to modify system settings, even on dev machines, can't be an answer. This solves a symptom and does not really helps on teams and on production. Will you replicate this on every machine? Check out Santosh Sah answer. – André Werlang May 04 '15 at 16:20
In addition, I also needed to remove the `WebDAVModule` from the modules section, as per [Santosh Sah's answer](http://stackoverflow.com/questions/10906411/asp-net-web-api-put-delete-verbs-not-allowed-iis-8/19722942#19722942). – Ivaylo Slavov May 16 '15 at 09:52
Unfortunately, this didn't work for me. I'm using IIS8.5, any other leads please? :( – AnimaSola Sep 03 '15 at 05:01
Using IISExpress 10 with VS 2015 Community, the WebDAV settings were already commented out, but I had to make the "ExtensionlessUrl-Integrated-4.0" verb changes. I was stumped for hours till this post, I thought I was doing PUT wrong. How I laughed when I found out it was Microsoft all along... – Steve Hibbert Jan 03 '16 at 16:27
I just came across this answer after searching for a full day (10 hours). It's quite elegant - creating a custom handler that inherits from the existing SimpleHandlerFactory handler. http://stackoverflow.com/a/37197698/165898 Enjoy! – Jason Dec 03 '16 at 03:03
Isn't there any way to make this change locally so it only applies to a single folder? People might want to allow PUT verbs on url.com/api/ but not on the rest of the site. – Typel Oct 11 '17 at 19:01
Why would editing the IIS Express configuration have ANY effect on IIS? -- They are two different products. Unfortunately, this will only work in your local dev. environment; the `web.config` solution below is what you need for IIS. – BrainSlugs83 Oct 15 '18 at 20:07
This worked for me although I'm using IIS, not IIS Express, so the path to the config file for me was: C:\Windows\System32\inetsrv\Config\applicationHost.config – Rich Feb 08 '19 at 18:48

score 128 · Answer 2 · answered Nov 01 '13 at 08:04

128

Change Your Web.Config file as below. It will act like charm.

In node <system.webServer> add below portion of code

<modules runAllManagedModulesForAllRequests="true">
  <remove name="WebDAVModule"/>
</modules>

After adding, your Web.Config will look like below

<system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
    <modules runAllManagedModulesForAllRequests="true">
        <remove name="WebDAVModule"/>
    </modules>
    <httpProtocol>
    <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*" />
        <add name="Access-Control-Allow-Headers" value="Content-Type" />
        <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
    </customHeaders>
    </httpProtocol>
    <handlers>
      <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
      <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
      <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
</system.webServer>

answered Nov 01 '13 at 08:04

Santosh Prasad Sah

1,953
1
15
13

3

Removing WebDavModule is the correct way of getting aroung this issue. – MissRaphie Sep 19 '14 at 14:55
6

Saved my day: – Peter Stegnar Feb 03 '15 at 08:10
4

Custom headers shouldn't be needed as they're related to CORS and this way you're inducing to a security hole. Just the part regarding `WebDAVModule` is relevant. – André Werlang May 04 '15 at 16:22
2

This answer is correct with the only exception that the handler name may differ across IIS versions - for instance 7.5 uses `"ExtensionlessUrlHandler-Integrated-4.0"` (as in above answer) while IIS 8.5 has this renamed to `"ExtensionlessUrl-Integrated-4.0"` (also mentioned by [Mark S.](http://stackoverflow.com/questions/10906411/asp-net-web-api-put-delete-verbs-not-allowed-iis-8/10907343#10907343) The name of the handler is shown in the IIS error page, once you receive the error, so it should be trivial to know which to set. I use both names in order to support different hosting environments. – Ivaylo Slavov May 16 '15 at 09:54
This helped me enable PUT and DELETE methods on Plesk. Thanks – Yushell Jul 17 '15 at 00:25
7

It makes me die a little inside everytime I see this - runAllManagedModulesForAllRequests="true" - as a solution http://www.britishdeveloper.co.uk/2010/06/dont-use-modules-runallmanagedmodulesfo.html – Oliver Sep 02 '15 at 15:49
Thanks! This is still super helpful in March 2016! – Targaryen Mar 23 '16 at 17:15
3

*CAUTION* : The custom headers section in the above code allows *ANY* site to call your API from a browser - which is a *big security risk*. Read up on CORS, which is effectively what those headers are enabling. – profMamba Apr 03 '17 at 04:17
@profMamba, answer is not related to CORS. Of course, you can configure "Access-Control-Allow-Origin" to allow your domains. – Santosh Prasad Sah Apr 03 '17 at 10:52
Worked like a charm for me. Thanks. – Srichandradeep C Dec 12 '17 at 10:15
this help me for put an delete after remove in vs2015 in win10 – JPCS Feb 24 '18 at 21:28
I get a 500 internal error after making this change. – Jesse Barnum Apr 11 '18 at 17:24
@JesseBarnum, please debug and let me know error detail. Above fix itself does not cause any interval server error. – Santosh Prasad Sah Apr 12 '18 at 04:26
This worked like a charm for me in VS 2017 and IIS 10 (help -> about in inetmgr says it's version 10, not sure if that's accurate. Might just be the tool version. Anyway, it's whatever comes built-in to Windows 10). – BrainSlugs83 Oct 15 '18 at 20:06
this worked for me, I had to change it on a hosting, only can work in my web.config – oware Jun 05 '19 at 17:24
adding this parameter made the change "runAllManagedModulesForAllRequests" it works now – Adel Mourad Feb 09 '20 at 22:36

score 63 · Answer 3 · edited Aug 14 '17 at 02:17

63

Remove the WebDAV works perfectly for my case:

<modules>
  <remove name="WebDAVModule"/>
</modules>
<handlers>
  <remove name="WebDAV" />
  <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
  <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" 
       type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>

it always better to solve the problem through the web.config instead of going to fix it through the iis or machine.config to grantee it wouldn't happen if the app hosted at another machine

edited Aug 14 '17 at 02:17

Hager Aly

1,093
9
23

answered Apr 27 '15 at 01:36

Peter.Wang

1,645
1
15
11

This worked for me, where the others didn't for some reason (was on IIS 8.5 ) thanks – John Nov 03 '15 at 08:59
4

Remove WebDAVModule worked for me, no need to remove handler WebDAV (IIS 8.0). – PeterS Mar 30 '16 at 09:02
3

just removing webdav works on framework 4.6.2 iis8.5 – Abdul Rehman Sayed Mar 08 '17 at 07:07

Chris Marisic · Answer 4 · 2016-03-09T19:13:14.443

47

Update your web.config

  <system.webServer>
    <modules>
      <remove name="WebDAVModule"/>
    </modules>
    <handlers>
      <remove name="WebDAV" />
      <remove name="ExtensionlessUrl-Integrated-4.0" />
      <add name="ExtensionlessUrl-Integrated-4.0"
           path="*."
           verb="GET,HEAD,POST,DEBUG,DELETE,PUT"
           type="System.Web.Handlers.TransferRequestHandler"
           preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
  </system.webServer>

http://odetocode.com/blogs/scott/archive/2012/08/07/configuration-tips-for-asp-net-mvc-4-on-a-windows.aspx

Removes the need to modify your host configs.

edited Mar 09 '16 at 19:13

answered Sep 23 '14 at 19:43

Chris Marisic

30,638
21
158
255

1

I was already written other line but it was not working. after adding lines and it is working now. Thanks a lot & 1 up vote from my side. – Banketeshvar Narayan Sep 08 '16 at 07:35
This works, but may fail due to configuration locking preventing the use of in web.config. In this case, you have to disable the configuration lock in applicationHost.config. If you don't have control over applicationHost.config for some reason, then this approach cannot be used. – Florian Winter Jan 18 '17 at 08:07
Worked with IIS10, though I just used "*" as verb – Javier G. Jan 04 '18 at 18:06
1

Worked with IIS 10 and Web API 2. Worked, I should add, after another dozen "solutions" I found online did not. Thanks! – Matt West May 24 '19 at 16:07

Ganesh · Answer 5 · 2014-11-19T09:49:16.867

18

In Asp.Net Web API - webconfig. This works in all browser.

Add the following code inside the System.web tag

<webServices>
  <protocols>
    <add name="HttpGet"/>
    <add name="HttpPost"/>
  </protocols>
</webServices>

Replace your system.webserver tag with this below code

<httpProtocol>
  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE" />
    <add name="Access-Control-Allow-Headers" value="Content-Type" />
  </customHeaders>
</httpProtocol>
<modules runAllManagedModulesForAllRequests="false">
  <remove name="WebDAVModule" />
</modules>

<validation validateIntegratedModeConfiguration="false" />
<handlers>
  <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
  <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
  <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
  <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
  <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />

  <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />

</handlers>

edited Nov 19 '14 at 09:49

answered Aug 27 '13 at 06:06

Ganesh

396
4
10

I had this problem in IIS 7.5, and this fix worked perfectly. Instead of deleting all of my system.webserver content, I just merged the relevant settings above into my own settings. – Keith Walton Oct 15 '13 at 00:26
38

**CAUTION** : The custom headers section in the above code allows __ANY__ site to call your API from a browser - which is a **big security risk**. Read up on CORS, which is effectivly what those headers are enabling. – profMamba Dec 02 '13 at 04:04
Also had this issue on iis 7.5 and this worked. Be sure to read Toolkit's message above about the risk involved in opening up cors to everyone. Also upvote his comment because tidbits like that a very valuable. – sjdirect Nov 06 '14 at 17:44
I don't think you need custom headers at all in this case. The rest of the `system.webserver` section should suffice - just make sure you have the [right name](http://stackoverflow.com/questions/10906411/asp-net-web-api-put-delete-verbs-not-allowed-iis-8/19722942#comment48647342_19722942) for the extensionless url handler. – Ivaylo Slavov May 16 '15 at 10:00
@profMamba So how are we supposed to deploy a PUT web service securely if we do not do this?! – niico Mar 22 '17 at 12:24
1

@niico You should allow only trusted sites to Access-Control-Allow-Origin i.e. replace "*" with your website(s) URL. This property is a white list of all trusted sites, unless you want to trust the entire web (which is typically a bad idea). – profMamba Apr 03 '17 at 04:20
Finally, after much grief, this worked for me on a bastardized corporate pc. Windows 7. Visual Studio 2013. Thanks! – Florida G. Jun 21 '17 at 21:14
Customheaders fixed the issue for .net core on IIS 10 on Windows Server 2016. Thanks! – atakan Jun 07 '18 at 22:03

score 5 · Answer 6 · answered Jan 25 '15 at 01:43

5

this worked for me on iis8 together with some of the other answers. My error was a 404.6 specifically

<system.webServer>
  <security>
  <requestFiltering>
    <verbs applyToWebDAV="false">
       <add verb="DELETE" allowed="true" />
    </verbs>
  </requestFiltering>
  </security>
</system.webServer>

answered Jan 25 '15 at 01:43

Sico

1,181
1
10
16

when you run AppCmd, this is what in puts in your web.Config (except for the applyToWebDAV bit). – Chase Florell Feb 19 '15 at 20:24

score 5 · Answer 7 · answered Jan 05 '16 at 23:06

Just a quick update for anyone else who might run into this issue. As of today, changing the %userprofile%\documents\iisexpress\config\applicationhost.config does NOT work any longer (this was working fine until now, not sure if this is due to a Windows update). After hours of frustration, I changed the web.config to add these handlers to system.webserver to get it to work:

<handlers>
        <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
        <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
        <remove name="ExtensionlessUrlHandler-Integrated-4.0" />

        <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
        <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
        <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>

zokaee hamid · Answer 8 · 2016-01-31T18:22:10.197

Enable CORS (nice and neat)

1.Add CORS nuget package

Install-Package microsoft.aspnet.webapi.cors

2.in the WebApiConfig.cs file to Register method add bellow code :

config.EnableCors();

ex:
using System.Web.Http;

namespace test
{
public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        // Web API configuration and services


        config.EnableCors(); //add this**************************


        // Web API routes
        config.MapHttpAttributeRoutes();

        config.Routes.MapHttpRoute(
            name: "DefaultApi",
            routeTemplate: "api/{controller}/{id}",
            defaults: new { id = RouteParameter.Optional }
        );           
    }
}
}

3.Add bellow code into namespace of the controller include get,post,delete,put or any http method

[EnableCors(origins: "The address from which the request comes", headers: "*", methods: "*")]

ex:

using System.Web.Http.Cors;//add this******************************
namespace Test.Controllers
{
[EnableCors(origins: "http://localhost:53681/HTML/Restaurant.html", headers: "*", methods: "*")]
public class RestaurantController : ApiController
{
    protected TestBusinessLayer DevTestBLL = new TestBusinessLayer();

    public List<Restaurant> GET()
    {
        return DevTestBLL.GetRestaurant();
    }

    public List<Restaurant> DELETE(int id)
    {
        return DevTestBLL.DeleteRestaurant(id);
    }       
}
}

reference :http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api

score 4 · Answer 9 · edited Jun 15 '16 at 10:44

4

After nothing worked, I was able to solve this by below steps:

• Did not select ‘WEB DAV PUBLISHING’ IIS settings, while installing IIS. • INETMGR - Default Website – Request Filtering – HTTP Verbs – PUT as True

edited Jun 15 '16 at 10:44

pedrofernandes

14,655
9
32
42

answered Jun 15 '16 at 08:44

Anshuman Saurabh

41
1

score 3 · Answer 10 · answered Apr 30 '15 at 22:06

After endless searching and trying the already supplied answers (adding the PUT,DELETE verbs and remove WEBdav) it just didn't work.

I went to IIS logging settings: > View Log Files. In my case W3SVC4 was the folder with the latest date, opened the folder, looked up the latest log file and saw this entry: GET /Rejected-By-UrlScan ~/MYDOMAIN/API/ApiName/UpdateMETHOD

The Update method was listed with verb GET, weird right? So I Googled for Rejected-By-UrlScan and found this link: UrlScan Broke My Blog.

I went to here: %windir%\system32\inetsrv\urlscan\UrlScan.ini

Basically, the UrlScan blocked PUT and DELETE verbs. I opened this INI file, added the PUT and DELETE to the AllowVerbs and removed them from the DenyVerbs listings. I saved the INI file and it worked! So for me these steps were necessary next to the ExtensionlessUrlHandler hints.

Windows Webserver 2008 R2 (64 bit), IIS 7.5. I'm using this in combination with DotNetNuke (DNN) WebAPI. ASP.Net 4.0 My update method:

[HttpPut]
[DnnAuthorize(StaticRoles = "MyRoleNames")]
public HttpResponseMessage UpdateMETHOD(DTO.MyObject myData)

score 3 · Answer 11 · answered May 23 '16 at 06:36

For PHP, it was simply:

Open IIS
Go to Handler Mappings
click edit on php5.6.x or php7.0.x
click "request restrictions"
under the verbs tab, select "one of the following verbs" and add "GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS"

I imagine this will work with other handlers too.

Arun · Answer 12 · 2015-11-16T12:34:32.000

Besides all above solutions, check if you have the "id" or any custom defined parameter in the DELETE method is matching the route config.

public void Delete(int id)
{
 //some code here
}

If you hit with repeated 405 errors better reset the method signature to default as above and try.

The route config by default will look for id in the URL. So the parameter name id is important here unless you change the route config under App_Start folder.

You may change the data type of the id though.

For example the below method should work just fine:

public void Delete(string id)
{
 //some code here
}

Note: Also ensure that you pass the data over the url not the data method that will carry the payload as body content.

DELETE http://{url}/{action}/{id}

Example:

DELETE http://localhost/item/1

Hope it helps.

score 2 · Answer 13 · edited Jul 03 '18 at 12:16

I have faced the same issue with you, then solved it, Here are solutions, I wish it maybe can help
First

In the IIS modules Configuration, loop up the WebDAVModule, if your web server has it, then remove it

Second

In the IIS handler mappings configuration, you can see the list of enabling handler, to choose the PHP item, edit it, on the edit page, click request restrictions button, then select the verbs tab in the modal, in the specify the verbs to be handle label, check the all verbs radio, then click ok, you also maybe see a warning, it shows us that use double quotation marks to PHP-CGI execution, then do it

if done it, then restart IIS server, it will be ok

I only removed WebDAVModule from IIS website and that worked for me — Umair Malhi, Oct 06 '18 at 14:23

score 1 · Answer 14 · edited Feb 09 '13 at 03:04

1

I am not sure if you have edited right configuration file. Try following steps

open %userprofile%\ducuments\iisexpress\config\applicationhost.config
By default bellow given entries are commented in the applicationhost.config file. uncomment these entries.

<add name="WebDAVModule" image="%IIS_BIN%\webdav.dll" />


<add name="WebDAVModule" />

<add name="WebDAV" path="*"
 verb="PROPFIND,PROPPATCH,MKCOL,PUT,COPY,DELETE,MOVE,LOCK,UNLOCK"
 modules="WebDAVModule" resourceType="Unspecified" requireAccess="None"
 />

edited Feb 09 '13 at 03:04

Leniel Maccaferri

94,281
40
348
451

answered Jun 06 '12 at 01:54

vikomall

16,953
6
44
38

4

messing with applicationhost.config? nope – Toolkit Aug 13 '14 at 06:18
One should not mess with other than the application configuration file. First- you will do this for the entire server and forget, then many people will wonder how it works on this machine and doesn't work on the rest. Also, if you are not allowed access to the IIS config file on the server where the application is hosted, you will have to work it out in the web.config. Imagine your dev server has the above update, will your web.config be accurate? It is a great way to loose someone's day on investigating why the production deployment has failed – Ivaylo Slavov May 16 '15 at 10:03

score 1 · Answer 15 · answered Jan 30 '17 at 18:44

1

Here is how you allow extra HTTP Verbs using the IIS Manager GUI.

In IIS Manager, select the site you wish to allow PUT or DELETE for.
Click the "Request Filtering" option. Click the "HTTP Verbs" tab.
Click the "Allow Verb..." link in the sidebar.
In the box that appears type "DELETE", click OK.
Click the "Allow Verb..." link in the sidebar again.
In the box that appears type "PUT", click OK.

answered Jan 30 '17 at 18:44

Chaoix

1,118
9
13

nice try - something different for once - but still didnt work! – Developer1010 Nov 28 '17 at 20:36
I had tried everything else I've seen suggested on SO and elsewhere. I finally tried this and it worked perfectly. In my case, the PUT and DELETE verbs were already in the list, and I had to first remove them, then add them back using the Allow Verb... link, but still, it worked when nothing else had. Thank you so much! – JTennessen Dec 11 '17 at 06:56

score 1 · Answer 16 · answered Jan 10 '19 at 15:12

I am using an ashx file in an MVC application and none of the above answers worked for me. IIS 10.

Here's what did work. Instead of changing "ExtensionlessUrl-Integrated-4.0" in IIS or web.config I changed "SimpleHandlerFactory-Integrated-4.0" for "*.ashx" files:

<add name="SimpleHandlerFactory-Integrated-4.0" path="*.ashx" 
verb="GET,HEAD,POST,DEBUG,PUT,DELETE" 
type="System.Web.UI.SimpleHandlerFactory" 
resourceType="Unspecified" requireAccess="Script" 
preCondition="integratedMode,runtimeVersionv4.0" />

score 0 · Answer 17 · edited May 23 '17 at 11:54

0

The another reason can be the following:
I changed my Url for Web Api method according to this answer:

Url.Action("MyAction", "MyApiCtrl", new { httproute = "" })

But this method creates link like:

/api/MyApiCtrl?action=MyAction

This works correctly with GET and POST requests but not with PUT or DELETE.
So I just replaced it with:

/api/MyApiCtrl

and it fixed the problem.

edited May 23 '17 at 11:54

Community

1
1

answered Apr 25 '14 at 09:03

Nicolai

1,867
1
22
30

score 0 · Answer 18 · answered Jun 08 '17 at 06:07

In IIS 8.5/ Windows 2012R2, Nothing mentioned here worked for me. I don't know what is meant by Removing WebDAV but that didn't solve the issue for me.

What helped me is the below steps;

I went to IIS manager.
In the left panel selected the site.
In the left working area, selected the WebDAV, Opened it double clicking.
In the right most panel, disabled it.

Now everything is working.

score -1 · Answer 19 · answered Sep 16 '15 at 18:42

-1

You can convert your Delete method as POST as;

 [HttpPost]
 public void Delete(YourDomainModel itemToDelete)
 {
 }

answered Sep 16 '15 at 18:42

Teoman shipahi

43,086
13
113
137

ASP.NET Web API - PUT & DELETE Verbs Not Allowed - IIS 8

19 Answers19

Linked