production

Debugging in Production

I was given this challenging case today, where I had to change production HTML to figure out what was wrong. I have to confess, it was a try and error approach.

The case

The issue arose by opening a document from SharePoint in an Office application. Office applications authenticate through an embedded browser. Many of you have seen this if SharePoint is secured by ADFS. Every time we reached a specific page, the embedded browser closed and displayed the following error:

Your organization's policies are preventing us from completing this action for you. For more info, please contact your help desk.

A similar issue was posted by a Microsoft security engineer. He resolved the problem by adding an initial src URL to the iframe he was using.

The search for a solution

By following this blog post from Telerik I was able to change production HTML.

  1. Trace the network traffic
  2. At some point, a call to your endpoint is made (for ex. to https://originalhost/customIframe.html)
  3. Create a dummy HTML-file you want to serve instead of the production code (you can copy/paste the production code from the Fiddler trace to this HTML-file)
  4. Right-click on the request – Add new rule
  5. Add a rule similar to the screenshot above

Make sure “Auto Responder” and your rule is active by checking if the toggle is green. Otherwise, you won’t hit the forged HTML-file.

Bonus

I was debugging in the embedded browser of Office. So, no JavaScript console available to see what’s really going on. To conquer this, I had to download Visual Studio 2017 (you find the reason why here), created a web project, attached the debugger to the Office application, and displayed the JavaScript console under Debugging – Window – JavaScript Console.

Conquering the problem

First I tried to render an iframe with a relative URL inside the Office application embedded browser:

<iframe src="/relative/path/logo.png" ></iframe>

This worked.

The following resulted in the error stated above:

<iframe src="https://www.google.com"></iframe>

This led me to the conclusion that iframes with external URLs are not allowed. Alright. If I just knew how to change this behavior. Group policy is not an option since the guests will be external users.

With posting my question to Stackoverflow I ended my day. I would not say successful but at least a little bit wiser.

Author

  • Kai

    Hello you! My name is Kai Boschung and I live with my girl Dominique and our dog Nikita close to Bern, Switzerland.I work at Experts Inside and founded together with compadres the IoT consulting firm appery.

    View all posts

Read Next