Pages

Friday, October 9, 2020

HTTP ERROR 440 is displayed when using AD FS claims-based authentication with OWA (Outlook on the Web)

Problem

You have AD FS (Windows Server 2019) claims-based authentication configured for Exchange Server 2019 Version 15.2 (Build 464.5) OWA (Outlook on the Web) and has had it working in production for months but received complaints from users that the following error is presented after successfully authenticating at an AD FS portal to access OWA:

This page isn’t working
If the problem continues, contact the site owner.
HTTP ERROR 440

image

Attempting to access /ECP also throws the same error.

This appears to only happen in Chrome but not Internet Explorer or Chromium Edge (or regular Edge).

The following are versions of Chrome that presents the error above:

Version 85.0.4183.121 and 86.0.4240.75

image

The following are the version of IE and Edge Chromium that did not exhibit this issue:

Edge Chromium: 85.0.564.70

Internet Explorer 11: 11.1082.18362.0

image

Solution

A quick search for this issue on the internet returned the following thread on Reddit:

https://www.reddit.com/r/exchangeserver/comments/iyirls/owa_440_error_in_chrome/

It appears the quickest way to load the page in Chrome is to navigate to the following setting:

chrome://flags/#reduced-referrer-granularity

Then set the Reduce default ‘referrer’ header granularity. From default to disable:

image

This can also be configure via Group Policy via the registry as shown in the following document: https://cloud.google.com/docs/chrome-enterprise/policies?policy=ForceLegacyDefaultReferrerPolicy

Having worked with a lot of clients to implement missing security headers identified by the following popular scan by Scott Helme: https://securityheaders.com/, I felt that there must be a better way of addressing this at the AD FS server level rather than the client level. The Referrer Policy header was familiar to me because I had recently implemented for another client’s Citrix portal and for those who are not familiar with it can find more information at Scott Helme’s site: https://scotthelme.co.uk/a-new-security-header-referrer-policy/

The short description of it as described by Scott is: Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.

After reviewing the authentication and redirect process between the AD FS portal and OWA, then testing the various Referrer Policy options, it appears the most restrictive one that worked was the no-referrer-when-downgrade because the full URL was passed with this option.

The following is the official Microsoft documentation that explains how headers are configured for AD FS:

Customize HTTP security response headers with AD FS 2019
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/customize-http-security-headers-ad-fs

The document does not include the Referrer Policy in the list but you can view and configure it as shown in the following cmdlets executed on the AD FS server:

To view the response headers:

Get-AdfsResponseHeaders

image

To expand the truncated list of response headers:

PS C:\> Get-AdfsResponseHeaders | Select -ExpandProperty ResponseHeaders

Key Value
--- -----
Strict-Transport-Security max-age = 31536000
X-Frame-Options DENY
X-Content-Type-Options nosniff
X-XSS-Protection 1; mode=block
Content-Security-Policy default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; frame-src *.duosecurity....

PS C:\>

image

To configure the Referrer Policy:

Set-AdfsResponseHeaders -SetHeaderName "Referrer-Policy" -SetHeaderValue "no-referrer-when-downgrade"

Confirm that the Referrer-Policy is configured with the following cmdlet:

Get-AdfsResponseHeaders | Select -ExpandProperty ResponseHeaders

Key Value
--- -----
Strict-Transport-Security max-age = 31536000
X-Frame-Options DENY
X-Content-Type-Options nosniff
X-XSS-Protection 1; mode=block
Content-Security-Policy default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; frame-src *.duosecurity....
Referrer-Policy no-referrer-when-downgrade

image

To remove the Referrer Policy:

If the Referrer-Policy needs to be removed then the following cmdlet can be executed:

Set-AdfsResponseHeaders -RemoveHeaders "Referrer-Policy"

1 comment:

Anonymous said...

Just wanted to thank you =) I was able to get it working by disabling chrome://flags/#reduced-referrer-granularity flag. But after that I started to look for the exact same thing that you accomplished. Awesome!