Configure HSTS for AD FS

Question

Configure HSTS for AD FS

9704244848 186

Hi Girls any Guys,
we us AD FS for some Appliactions in our network. During the migration (Windows Server 2012R2 -> Windows Server 2019 Build 1809) we noticed that Microsoft has implemented various HTTP Security Responst headers by default - cool. Customize HTTP security response headers with AD FS 2019

After the migration of ADFS and WAP we checked this with SSL Labs and Security Headers. Both results displays, that HSTS is not active. I precheck this on the primary AD FS Servers via PowerShell with Get-AdfsResponseHeaders. The Parameter ResponseHeadersEnabled is true and the requiere values was set in ResponseHeaders.

So i removed HSTS from ReponseHeaders:

Set-AdfsResponseHeaders -RemoveHeaders "Strict-Transport-Security"

After that i restarted the whole server and try to add HSTS configuration:

Set-AdfsResponseHeaders -SetHeaderName "Strict-Transport-Security" -SetHeaderValue "max-age=31536000; includeSubDomains"

The command was execute successfully - no error output. I checked the Parameter ReponseHeaders , but HSTS is not configuried.

Anyone here who configured HSTS successfully in his environment?

Regards

Accepted answer

5 additional answers

Your answer

Answer 1

Jean-Luc Ch 176

As shown here, you should use the great Fiddler tool for checking.
If you test fs.yourdomain.com, no HSTS.
If you check a reliable endpoint, for exemple, by connecting to relying partner, you will see STS.
Here you will see another example:

How is it for you?

Best regards

9704244848 186 Reputation points

2020-07-24T21:50:12.487+00:00

Oh, what the hell... :-(
You a right. I could adjust it in our enviroment.

Why is the header not always delivered indepentent of the entpoint?
Basicly the URL adfs.domain.de delivers a webpage with status code 200.

Can the behavior be adjusted?
Jean-Luc Ch 176 Reputation points

2020-07-25T00:04:15.817+00:00

I agree, it's strange. I believe it's not possible...

Answer 2

SirJonnyB 5

This is a flaw in AD FS. if you go to the root page which has no content ex. https://mysso.somedomain.com the header is not expressed, if you go to a page which has content ex. https://mysso.soemdomain.com/adfs/ls the headers are expressed. This is an issue with website auditing software and cyber insurance firms as your adfs site will get a less than exceptable score. Microsoft should fix this but as of today I can't not find a solution.

Answer 3

Jean-Luc Ch 176

Hi!
With

Set-AdfsResponseHeaders -SetHeaderName "Strict-Transport-Security" -SetHeaderValue "max-age=31536000"

Does it work?

What is

Get-AdfsResponseHeaders

result ?

Answer 4

Thank you. The problem is still the same. The value would not be displayed.
The Windows PowerShell was started by using the Run as Administrator option.

PS > Set-AdfsResponseHeaders -SetHeaderName "Strict-Transport-Security" -SetHeaderValue "max-age=31536000; includeSubDomains" 
PS > Set-AdfsResponseHeaders -SetHeaderName "Strict-Transport-Security" -SetHeaderValue "max-age=31536000"
PS > Get-AdfsResponseHeaders


ResponseHeaders           : {[X-Frame-Options, DENY], [X-Content-Type-Options, nosniff], [X-XSS-Protection, 1;
                            mode=block], [Content-Security-Policy, default-src 'self' 'unsafe-inline' 'unsafe-eval';
                            img-src 'self' data:;]...}
ResponseHeadersEnabled    : True
PublicKeyPinningEnabled   : False
PublicKeyPrimary          :
PublicKeySecondary        :
PublicKeyPinningReportUri :
AdditionalPublicKeys      : {}
CORSEnabled               : False
CORSTrustedOrigins        : {}

To be on the safe side, i restarted the AD FS service without success.

Regards

Answer 5

Jean-Luc Ch 176

Can you execute:

$FormatEnumerationLimit=-1

and next, the

Get-AdfsResponseHeaders

?

Share via

Configure HSTS for AD FS

5 additional answers

Your answer