Version Affected: ADFS VAM on Windows Server 2019+
Description:
When placing the ADFS VAM onto a Windows 2019 Server this can cause the MFA options screen to fail to display correctly
Using Browser Developer Tools at the time of reproducing the problem may present the below error (or similar) within the Console/Network tab
Refused to load the script 'https://pretend.domain.com/SecureAuth12/....' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'script-source-elem' was not explicityly set, so 'default-src' is used as a fallback.
Cause:
Windows Server 2019 includes extra security to protect against cross-site scripting, clickjacking and other data injection attacks by preventing browsers from inadvertently executing malicious content.
The default-src directive only allows content to be loaded from the same origin (domain) as the webpage, due to this when the ADFS VAM attempts to pull data from the Identity Platform Server this is blocked if the default Content Security Policy is in use and the Identity Platform Server resides in another domain
Resolution:
To fix this problem it is required to alter the Content Security Policy Header on the ADFS Server, to allow content to be retrieved from the Identity Platform servers.
This can be carried out by running the below Powershell command
Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src https://domain1.com 'unsafe-inline' 'unsafe-eval'; img-src https://domain1.com data:;"
Set-AdfsResponseHeaders -SetHeaderName "X-Frame-Options" -SetHeaderValue "deny"
Set-AdfsResponseHeaders -EnableResponseHeaders $true
In the above example https://domain1.com would be replaced with the value seen in the error - https://pretend.domain.com
The above command will set a Content-Security-Policy Header which will allow content to be loaded from https://domain1.com
If you need to add two trusted sources to the Content Security Policy Header simply list the second domain straight after the first, see the below for an example
Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src https://domain1.com https://domain2.com 'unsafe-inline' 'unsafe-eval'; img-src https://domain1.com https://domain2.com data:;"
Set-AdfsResponseHeaders -SetHeaderName "X-Frame-Options" -SetHeaderValue "deny"
Set-AdfsResponseHeaders -EnableResponseHeaders $true
Special Considerations (optional as needed):
For more information around the Content Security Header please see the below
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/customize-http-security-headers-ad-fs
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.