How to configure IIS to handle CORS requests to msmdpump.dll

Question

We're using a third party Javascript plugin to connect to SSAS through an msmdpump.dll endpoint to display reporting data. We're having trouble with our msmdpump.dll connection due to CORS errors.

Event Viewer log:

The description for Event ID 25 from source MSOLAP ISAPI Extension: \\?\C:\inetpub\wwwroot\OLAP\msmdpump.dll cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.  
  
If the event originated on another computer, the display information had to be saved with the event.  
  
The following information was included with the event:   
  
msmdsrv.rll  
3081  
  
The message resource is present but the message was not found in the message table  

IIS Failed Request Logs:

<failedRequest url="http://localhost:80/olap/msmdpump.dll"  
               siteId="1"  
               appPoolId="OLAP"  
               processId="47036"  
               verb="OPTIONS"  
               remoteUserName=""  
               userName=""  
               tokenUserName="IIS APPPOOL\OLAP"  
               authenticationType="anonymous"  
               activityId="{800002ED-0005-A000-B63F-84710C7967BB}"  
               failureReason="STATUS_CODE"  
               statusCode="500"  
               triggerStatusCode="500"  
               timeTaken="47"  
               xmlns:freb="http://schemas.microsoft.com/win/2006/06/iis/freb"  
               >  

The plugin can connect to the provider's demo msmdpump.dll just fine so I'm assuming it's our IIS configuration.

I've tried to follow documentation to setup CORS in IIS and many error solutions around but they haven't helped.
https://learn.microsoft.com/en-us/analysis-services/instances/configure-http-access-to-analysis-services-on-iis-8-0?view=asallproducts-allversions
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSPreflightDidNotSucceed

Our configuration is as follows:

• IIS Website: http://localhost/OLAP/msmdpump.dll
• IIS Website: http://localhost/PluginApp
• IIS websites use Anonymous Authentication
• IIS Application pool: OLAP runs in Classic mode
• IIS Handler mapping configured for msmdpump.dll
• Using same version of msmdpump.dll as the SSAS cube
• Http only on client and server (for testing)
• SSAS and IIS websites all reside on one machine (for testing)
• SSAS cube configures roles for the AppPool user

AppPool

Handler Mapping

web.config for http://localhost/OLAP:

<?xml version="1.0" encoding="UTF-8"?>  
<configuration>  
  <system.webServer>  
    <handlers>  
      <add name="OLAP" path="msmdpump.dll" verb="*" modules="IsapiModule" scriptProcessor="C:\inetpub\wwwroot\OLAP\msmdpump.dll" resourceType="File" requireAccess="Script" preCondition="bitness64" />     
      <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />  
      <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />  
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />  
      <remove name="WebDav" />  
      <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />  
      <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />  
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />  
      <remove name="OPTIONSVerbHandler" />  
      <add name="OPTIONSVerbHandler" path="*" verb="OPTIONS" modules="IsapiModule" scriptProcessor="C:\Windows\System32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="None" />  
      </handlers>  
    <defaultDocument enabled="true">  
      <files>  
        <add value="msmdpump.dll" />  
      </files>  
    </defaultDocument>  
 <security>  
 <authorization>  
 <remove users="*" roles="" verbs="" />  
 <add accessType="Allow" users="?" verbs="OPTIONS" />  
 <add accessType="Allow" users="" roles="USERS" />  
 </authorization>  
 <requestFiltering>  
 <verbs allowUnlisted="true" applyToWebDAV="true">  
   <remove verb="OPTIONS"/>  
   <add verb="OPTIONS" allowed="true"/>  
 </verbs>  
 </requestFiltering>  
 </security>  
 <httpProtocol>  
   <customHeaders>  
  <add name="Access-Control-Allow-Origin" value="*" />  
  <add name="Access-Control-Allow-Credentials" value="true" /  
  <add name="Access-Control-Allow-Methods" value="POST, OPTIONS" />  
  <add name="Access-Control-Allow-Headers" value="Origin, Content-Type, Accept, Authorization" />  
   </customHeaders>  
 </httpProtocol>   
  </system.webServer>  
</configuration>  

Are we missing something in our configuration? Are the CORS settings located in the right web.config? Is there a way I can diagnose the underlying 500 error?

Answer 1

If you've used some vendor plugin I suggest you contact that vendor. The only way CORS could be an issue is if that vendor has built a javascript based XMLA client. I have not seen one of these before, but if they have done that they must have documentation on how to alter the CORS configuration to work with their product.

Answer 2

CORS makes an OPTIONS request to msmdpump.dll, but this shouldn't be handled by msmdpump.dll itself, but by the OPTIONSVerbHandler. To achive this, simply restrict the OLAP handler to the POST verb. This worked for me:

<add name="OLAP" path="msmdpump.dll" verb="POST" />