Accessing Aras Innovator instance outside the network using Ngrok Tunneling

Hello Team,

I have installed Aras Innovator 2023 on Windows Server 2022 successfully. I can log in to the Innovator Instance using the localhost URL on the server and the hostname_server URL on the same network machine without any error. I am using the Ngrok Tunneling Client to forward the static domain to the local host to access the innovator Instance outside the network. While doing so, I am receiving an error that states "Error: Cannot access OAuth Server due to CORS policies". 

Below is the command used for Ngrok tunneling

cmd: ngrok --domain=xxx.yyy 80 --host-header=Access-Control-Allow-Origin

where xxx.yyy is the static domain name

Also, I have modified the below-given line in the <customHeaders> section of ...\Innovator\Server\web.config.

WAS: <add name="Access-Control-Allow-Origin" value="*" />

IS: <add name="Access-Control-Allow-Origin" value="https://xxx.yyy" />

Finally, I followed the below steps to solve the issue which didn't help though. [Reference:]

The following steps will also avoid the CORS error:

  1. Open the IIS Manager.
  2. Select your Aras Innovator instance from the site list in the Connections pane.
  3. In the center pane, select HTTP Response Headers from the IIS section.
  4. In the Actions pane on the right, select Add…
  5. Add a header with the following values:
    • Name: Access-Control-Allow-Headers
    • Value: database, authpassword, authuser, soapaction, content-type
  6. Click Add… again and add another header with the following values:
    • Name: Access-Control-Allow-Origin
    • Value: https domain to whitelist or *

Ngrok Log:

Client Error:

Note: The above approach is for testing purposes only.

  • I don´t have a solution, but I have this question too! I once did some similar tests and got the same error message. I also followed the guidelines from the GitHub post, but weren´t able to solve it.

    Here´s a screenshot of my last tries back then. According to some comment of mine, "made progress but still failed". 

  • Based on the information you provided, it seems that you have already taken several steps to address the CORS (Cross-Origin Resource Sharing) error when accessing your Aras Innovator instance through Ngrok tunneling. However, it appears that the issue persists.

    Here are a few additional suggestions you can try to resolve the CORS error:

    1. Double-check the modified line in the <customHeaders> section of the web.config file: Ensure that the value attribute is set correctly to "">https://xxx.yyy". Verify that there are no typos or extra spaces in the value.

    2. Restart the Aras Innovator server: After making changes to the web.config file, it's essential to restart the Aras Innovator server for the modifications to take effect. Restart the server and check if the CORS error still occurs.

    3. Verify the headers in the IIS Manager: Open the IIS Manager and navigate to your Aras Innovator instance. In the center pane, select "HTTP Response Headers" from the IIS section. Ensure that the headers you added are present and correctly configured with the expected values.

    4. Test with a different tunneling solution: Since you mentioned that you are using Ngrok for tunneling, you might consider trying an alternative tunneling solution, such as localtunnel or ngrok alternatives like Serveo or PageKite. It's possible that using a different tunneling service could help bypass the CORS error.                    tunnel rush

    5. Seek assistance from Aras Innovator community or support: If the issue persists despite your efforts, it would be beneficial to reach out to the Aras Innovator community or support team. They may have specific insights into configuring CORS for Aras Innovator instances or be able to provide additional troubleshooting guidance.

  • Just wondering if anyone has the solution to this issue? Adding header to IIS and modifying web.config doesn’t work for me.

    Tried to tunnel using serveo and pagekite, but still receiving the same error.
    Below is my IIS header setting:

    I managed to fix this CORS issue. It comes down to mixed content being blocked by browser (ie: visiting website from https:// but some content is served using http://). When tunneling with ngrok, the default scheme used is https, thus causing some issue when some part of aras is loaded using http.

    eg of mixed content being blocked.

    Below is my configuration for IIS response header, 0authserver config, and ngrok.


    Content-Security-Policy header for HTTP allow for the browser to treat http request as a valid https request. (

    Some of the headers are not required but i tend to just leave it like that.

    0authserver web.config

    0authserver 0auth.config


    ngrok tunnel was served using both http & https scheme.

    Accessing Aras through ngrok tunnel


    I have followed the steps. I am getting the below error. I have checked my config files for typos. But no luck. Please suggest. 

  • Can you verify that you’re able to sign in to aras locally?

    This might help to troubleshoot


    After I replacing the "web.config" from my backup (i.e. Just replaced "" with my ngrok website in the OOTB web.config file), I am able to access the ARAS innovator outside the network without any issue.

    Notably, I appreciate your finding on https & http conflict with the Ngrok tunnelling.

    RCA: Missing of "Content-Security-Policy" header with value "update-insecure-requests" under IIS