API App - CORS problem with SignalR RRS feed

  • Question

  • Hey, didn't found any API App forum so i'm asking here.

    I've Api App that connecting with SignalR to a Web App both on azure with different domains.

    I've updated the MS_CrossDomainOrigins in my Api App to allow the DNS of the Web App. All the requests are ok, except the SignalR requests, where I'm getting -

    "Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. It must be 'true' to allow credentials."

    It's important to say that when I run my Api and Web App locally ( also with different domains) it's working fine.

    also, I'm using the Owin startup file, startup.cs, that telling the SignalR to allow CORS, maybe the azure WebApp doesn't know how to run it?

    Monday, August 24, 2015 1:59 PM


All replies

  • Hi,

    I would suggest you to check this link if you have missed any thing.

    Using SignalR with Web Apps in Azure App Service:


    Azam khan

    Monday, August 24, 2015 5:13 PM
  • Hey Azam, My problem is with the Api App, if I'm deploying on azure web sites the SignalR is working well with CORS.
    Tuesday, August 25, 2015 9:00 AM
  • Hi,

    Please refer this link and check if it helps:


    Azam khan

    Tuesday, August 25, 2015 6:10 PM
  • Hi shacharle,

        I am also finding the same problem. During tests the web api works ok with the correct headers on the response. The moment is deployed to azure api app, the header for 'Access-Control-Allow-Credentials'   is no longer there.  How did you resolve this problem?

      I did check the accepted answer, but the information there does not provide me with a resolution.



    Tuesday, January 5, 2016 4:50 PM
  • In my case, the AJAX request was sending the following field:

      xhrFields: {
                        withCredentials: true

    This causes the browser to expect the Access-Control-Allow-Credentials header = true back. I removed the parameter from the request, and the response was 200 with a valid token for subsequent calls. There is no need to add that parameter in my case because we already provide the Authorization header with the necessary information.

    More information can be found here: http://www.ozkary.com/2015/12/api-oauth-token-access-control-allow-credentials.html

    hope it helps others.


    • Edited by ozkaryMVP Tuesday, January 5, 2016 7:01 PM
    Tuesday, January 5, 2016 5:55 PM