ADFS VAM on Windows Server 2019 and Content Security Policy

Follow
    Applies to:
  • SecureAuth Identity Platform
Deployment model:
  • Hybrid
  • Version Affected:  ADFS VAM on Windows Server 2019+

    Description:  
    When placing the ADFS VAM onto a Windows 2019 Server this can cause the MFA options screen to fail to display correctly

    Using Browser Developer Tools at the time of reproducing the problem may present the below error (or similar) within the Console/Network tab
    Refused to load the script 'https://pretend.domain.com/SecureAuth12/....' because it violates the following Content Security Policy directive:  "default-src 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'script-source-elem' was not explicityly set, so 'default-src' is used as a fallback.

    Cause:  
    Windows Server 2019 includes extra security to protect against cross-site scripting, clickjacking and other data injection attacks by preventing browsers from inadvertently executing malicious content.
    The default-src directive only allows content to be loaded from the same origin (domain) as the webpage, due to this when the ADFS VAM attempts to pull data from the Identity Platform Server this is blocked if the default Content Security Policy is in use and the Identity Platform Server resides in another domain

    Resolution:  
    To fix this problem it is required to alter the Content Security Policy Header on the ADFS Server, to allow content to be retrieved from the Identity Platform servers.
    This can be carried out by running the below Powershell command

    Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src https://domain1.com 'unsafe-inline' 'unsafe-eval'; img-src https://domain1.com data:;"
    Set-AdfsResponseHeaders -SetHeaderName "X-Frame-Options" -SetHeaderValue "deny" 
    Set-AdfsResponseHeaders -EnableResponseHeaders $true

    In the above example https://domain1.com would be replaced with the value seen in the error - https://pretend.domain.com
    The above command will set a Content-Security-Policy Header which will allow content to be loaded from https://domain1.com

    If you need to add two trusted sources to the Content Security Policy Header simply list the second domain straight after the first, see the below for an example

    Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src https://domain1.com https://domain2.com 'unsafe-inline' 'unsafe-eval'; img-src https://domain1.com https://domain2.com data:;" 
    Set-AdfsResponseHeaders -SetHeaderName "X-Frame-Options" -SetHeaderValue "deny"
    Set-AdfsResponseHeaders -EnableResponseHeaders $true

     

    Special Considerations (optional as needed):  

    For more information around the Content Security Header please see the below
    https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/customize-http-security-headers-ad-fs

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.