Issue with X-Frame-Options and Lync Server 2013 Simple URLs


I had a customer recently that started getting the following when external users tried to join a Lync meeting they were hosting:

This content cannot be displayed in a frame

To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.

What you can try:

Open this content in a new window

 

We took a look at the traffic with Fiddler and noticed that in the 200, multiple X-Frame-Options were being returned:


Note: You may need to click on the image above in order to read the text.

I have seen this issue before with some Reverse Proxies that inserted X-Frame-Options and caused the same issue. Barracuda has some information listed here for their Reverse Proxy product. In this case, it wasn't the Reverse Proxy, but instead a configuration change that was made to IIS:

It turns out that their security team recommended that this be added to the external website on all of the Front End Servers. You can find some more information on X-Frame-Options here and here. We did try using ALLOW-FROM instead of SAMEORIGIN, but the same issue still occurred. Once we removed this setting, everything started working again:

Looking at the traffic again in Fiddler, you can see that only one X-Frame-Options is now listed:


Note: You may need to click on the image above in order to read the text.

As you can see, Lync Server 2013 inserts it's own X-Frame-Options headers, and manually configuring some in IIS actually causes issues.

Comments (1)
  1. Rick Eveleigh says:

    Many thanks for this — just experienced the same symptoms on Skype for Business but I couldn’t find the rogue setting in IIS. It turned out it had been set on the Hardware Load Balancer and removing it fixed the issue.

Comments are closed.

Skip to main content