3

I have an aspx page embedded in Dynamics CRM. The aspx page uses openId and an adfs application group to authenticate and has been working up until security update KB4493473 (it is an assumption that the update is causing the issue). Prior to the update, when the user loaded the CRM form, the iframe would seamlessly load without issue or authentication prompts. Since the update, the console gives this message: 'https://sts...... &x-client-SKU=ID_NET451&x-client-ver=5.2.1.0' in a frame because it set 'X-Frame-Options' to 'deny'.

I have not found any way to have adfs NOT send that x-frame header, is there any workaround here?

user1202839
  • 365
  • 1
  • 5
  • 18

1 Answers1

3

We had a similar problem since some week on a project I work on (iFrame integration not working any more because of ADFS, apparently since May Windows cumulative update has been installed)

Luckily, a colleague found a workaround with this ADFS PowerShell command :

Set-AdfsResponseHeaders -RemoveHeaders "X-Frame-Options"

This command is documented for ADFS 2019 (but works on ADFS 4 too) : https://learn.microsoft.com/fr-fr/windows-server/identity/ad-fs/operations/customize-http-security-headers-ad-fs

Hope this will help. Regards,

RGT
  • 51
  • 4
  • Just signed up to say thanks for this, I was banging my head against a brick wall trying to find the powershell module to allow me to set Set-ADFSResponseHeaders and not getting anywhere. In Windows 2016 the module becomes available when you install KB4503267. Hopefully this will same someone the same pain in the future. Cheers. – James O'Driscoll Jul 10 '19 at 23:59
  • You're welcome. I know what you mean, this gave me a severe headache too ! Can I ask you to vote for my answer, as it helped you ? :) – RGT Sep 10 '19 at 16:36