Here’s the final web.config section. The thing I needed to add I was missing was changing the staticFileHandler from using “all verbs” to all of them spelled out.
<?xml version="1.0" encoding="utf-8"?> <configuration> <appSettings> <add key="StorageRoot" value="C:\temp\"/> </appSettings> <system.web> <compilation debug="true" targetFramework="4.0" /> <httpRuntime maxRequestLength="2147480000" executionTimeout="3600"/> <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID"/> </system.web> <system.webServer> <modules> <remove name="WebDAVModule" /> </modules> <handlers accessPolicy="Read, Write, Execute, Script"> <remove name="StaticFile" /> <remove name="SimpleHandlerFactory-ISAPI-2.0" /> <remove name="WebDAV" /> <remove name="SimpleHandlerFactory-Integrated-4.0" /> <remove name="SimpleHandlerFactory-Integrated" /> <add name="SimpleHandlerFactory-Integrated" path="*.ashx" verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.UI.SimpleHandlerFactory" resourceType="Unspecified" requireAccess="Write" preCondition="integratedMode" /> <add name="SimpleHandlerFactory-Integrated-4.0" path="*.ashx" verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.UI.SimpleHandlerFactory" resourceType="Unspecified" requireAccess="Write" preCondition="integratedMode,runtimeVersionv4.0" /> <add name="SimpleHandlerFactory-ISAPI-2.0" path="*.ashx" verb="GET,HEAD,POST,DEBUG,PUT,DELETE" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv2.0,bitness32" responseBufferLimit="0" /> <add name="StaticFile" path="*" verb="GET,HEAD,POST,DEBUG,PUT,DELETE" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" /> </handlers> <security> <requestFiltering> <requestLimits maxAllowedContentLength="2147480000"/> </requestFiltering> <authorization> <remove users="*" roles="" verbs="" /> <add accessType="Allow" users="*" verbs="GET,HEAD,POST,PUT,DELETE,DEBUG" /> </authorization> </security> <tracing> <traceFailedRequests> <remove path="*" /> <add path="*"> <traceAreas> <add provider="ASP" verbosity="Verbose" /> <add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" /> <add provider="ISAPI Extension" verbosity="Verbose" /> <add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI" verbosity="Verbose" /> </traceAreas> <failureDefinitions statusCodes="405" /> </add> </traceFailedRequests> </tracing> </system.webServer> </configuration>