CORS with Safari, NTLM Authentication

Okay. So I have a CORS problem with Safari, ntlm Authentication. Just to start off with I have looked a this post CORS request not working in Safari and it does not fix my problem. Also the code works in all other browsers but Safari This is going hitting a .net/c# web Api The config on the .net site look like

    <!-- <add name="Access-Control-Allow-Origin" value="*" /> -->
    <add name="Access-Control-Allow-Headers" value="X-AspNet-Version,X-Powered-By,Date,Server,Accept,Accept-Encoding,Accept-Language,Cache-Control,Connection,Content-Length,Content-Type,Host,Origin,Pragma,Referer,User-Agent" />
    <add name="Access-Control-Allow-Methods" value="GET,POST,PUT,DELETE,OPTIONS" />
    <add name="Access-Control-Allow-Credentials" value="true" />

I want to make sure that the api can be hit from a few deferent places so in code I do

public override void OnActionExecuted(System.Web.Http.Filters.HttpActionExecutedContext context)
        if (context.Exception != null) // hndle exception your self
                string.Format("{0}: OnActionExecuted exception: {1}", Thread.CurrentThread.ManagedThreadId, context.Exception.Message));

            // handle/format exception
            context.Response = HandleException(context.Exception, context.ActionContext.ActionArguments);
                string.Format("{0}: OnActionExecuted: {1} Time: {2}", Thread.CurrentThread.ManagedThreadId,context.Response.StatusCode, this.auditData.ElapsedTime));

            // log what happened

            if (context.Request.Headers.Referrer != null)
                string corsValue = context.Request.Headers.Referrer.GetLeftPart(UriPartial.Authority);
                context.Response.Headers.Add("Access-Control-Allow-Origin", corsValue);
            // return data

On the client I am using a simple XMLHttpRequest request.

var xmlhttp = new XMLHttpRequest();
xmlhttp.withCredentials = true;      "GET", “ntlm_xxxxyyy.uuu/login”, true);
xmlhttp.onreadystatechange = function () {}

the server is IIS2012 R2 the Authentication is set to Anonymous. I have looked at CORS request not working in Safari and a few other sites. But they all seem to reference the link above.

Please help Thanks