Office(Word, Excel, etc) fails to render DUO multifactor authentication login page


Issue:

You have a custom multifactor authentication login pages that leverage DUI API, and all works fine from web browsers but the Office client (Word, Excel, etc) fails to render all of the HTML property, you may see a flicker of the login page but in the end Office shows this error:

"Your organization's policies are preventing us from completing this action for you.  For more info, please contact your help desk."

Cause:

When the DUO iframe is loaded from the ‘duo.form.login.template.html’ file, the code is <iframe id="duo_iframe" width="100%" height="350px" frameborder="0">
Note that the SRC attribute of the Iframe element is missing, causing the iFrame to load the URL about:blank (The Iframe SRC attribute is set at a later point in the Duo-Web-v2.js file).  For security reasons Office does not allow navigation to any non-https end point within the webview which is shown to capture user credentials. The lack of a SRC attribute causes the embedded browser to load "about:blank" in the IFRAME which is not based on HTTPS and Office cannot allow such navigation to take place.

Workaround:

Specifying a SRC attribute for the Iframe element resolves the issue : <iframe id="duo_iframe" src="images/TempImage.gif” width="100%" height="350px" frameborder="0"> (Since we have a SRC, about:blank no longer loads, and hence the issue does not occur)

 


Comments (1)

  1. hamhands says:

    Thanks for this. I was experiencing this issue with Sharepoint-hosted content protected by CAS + Duo. Users would enter their credentials and submit the CAS login form, then the embedded browser would close and the Office app would show the error above. This happened when opening Word, Excel, PP, and Visio docs as well as when Sharepoint lists were connected to Outlook. Sure enough, the markup for the Duo IFRAME did not contain a src attribute. Once I added one pointing to a blank document, the Duo view started rendering. This is with Office 2013 so the compatibility level of the embedded browser is pretty ancient. The Duo view doesn’t look very nice in it, but it’s functional. Thanks again for the post.

Skip to main content