Getting past REST call errors

I’m building small web page for as a prototype for a document manager. For any Epicor data it uses it will make REST calls to BAQs. I am making the GET request through ajax. The first issue I was having is with CORS. I added a value in IIS - Access-Control-Allow-Origin = *, just to get it working - and now I’m having another error in Chrome:

The credentials are valid. When I use JSONP as the datatype, I get the response I want, only this isn’t the correct datatype so there are syntax errors of course.

Here’s my call:

var header = {"Authorization": "Basic " + auth,
		      "Cache-Control": "no-cache",
              "Postman-Token": "41e0d69e-4912-4a08-b1a3-a5077a63ed25"};

var settings = {
  "async": true,
  "dataType": "json",
  "method": "GET",
  "url": url,
  "Content-Type": "application/json",
  "headers": header

$.ajax(settings).done(function (response) {

so forbidden is an authentication issue… are you sure your “auth” is correct?

I think it may have to do with your server not requesting the options headers. I am assuming you are not SaaS, so you might want to look under the network tab in the console.

Yes. I used the authorization information straight from Postman to double check. I can use these credentials to access the REST help from the server (https://e102/erp102200/…).

In the Epicor Admin Console or IIS? Do I have to assign variables somewhere or is there a menu for adjusting this?

I think you should read this link

Even thou it is with a framework, it might guide you in the right direction, this is the response marked as solved.

In my previous experience with this issue, this was resolved at the server side by the other company, so I did not know how they solved, but I guide them to the answer haha if that makes sense at all

The CORS contract requires that authentication not be required on the pre-flight OPTIONS request. It looks like your back-end is requiring authentication on the OPTIONS request and the GET.

When you access your back-end with Postman, you are only sending a GET. The browser will send an OPTIONS request first (without your authentication header), and look for the response to have an “Access-Control-Allow-Origin” header that matches the origin of the page making the request.

If the response to the OPTIONS response is not a 2xx, or the header is not present, or the header does value does not match the requesting page’s origin, you will get the error that you are experiencing, and the GET request will not be made.

TLDR; change your back-end to not require authentication for the OPTIONS method when handling the login url.

just hypotheses

  1. Try to use CORS setting in web.config, not in IIS, see REST doc
  2. Check if windows auth is switched off is IIS