The Microsoft Office “thick” clients (Word, Excel, etc. on MacOS, Windows, iPhone, Android) support enterprise logins to Office 365 with an embedded browser that’s launched when you try to sign-in.
If using the iframe as shown in
For our custom WebSSO, when the embedded browser attempts to render the html page with the iframe, it fails and the sign-up stops. A Microsoft employee wrote
(which seems to have disappeared from the website very recently, but I have the content appended below.)
In that blog the suggestion was a iframe element like
<iframe id="duo_iframe" src="/images/tiny.gif">
The difference being that a minimal image is initially inserted into the iframe. We found that this does fix the problem and people can sign-in from those browsers (and it still works on traditional ones).
So, I was wondering what the folks at Duo think of this, and if it appears to be reasonable, be officially documented?
(Here’s that blog’s content, including its (one) comment)
Office(Word, Excel, etc) fails to render DUO multifactor authentication login page
Warren_R_Msft February 26, 2018
You have a custom multifactor authentication login pages that leverage DUI API, and all works fine from web browsers but the Office client (Word, Excel, etc) fails to render all of the HTML property, you may see a flicker of the login page but in the end Office shows this error:
“Your organization’s policies are preventing us from completing this action for you. For more info, please contact your help desk.”
When the DUO iframe is loaded from the “duo.form.login.template.html” file, the code is
<iframe id="duo_iframe" width="100%" height="350px" frameborder="0">
Note that the SRC attribute of the Iframe element is missing, causing the iFrame to load the URL about:blank (The Iframe SRC attribute is set at a later point in the Duo-Web-v2.js file). For security reasons Office does not allow navigation to any non-https end point within the webview which is shown to capture user credentials. The lack of a SRC attribute causes the embedded browser to load “about:blank” in the IFRAME which is not based on HTTPS and Office cannot allow such navigation to take place.
Specifying a SRC attribute for the Iframe element resolves the issue :
<iframe id="duo_iframe" src="images/TempImage.gif" width="100%" height="350px" frameborder="0"> (Since we have a SRC, about:blank no longer loads, and hence the issue does not occur)
You must be logged in to post a comment.
July 25, 2018 at 5:56 pm
Thanks for this. I was experiencing this issue with Sharepoint-hosted content protected by CAS + Duo. Users would enter their credentials and submit the CAS login form, then the embedded browser would close and the Office app would show the error above. This happened when opening Word, Excel, PP, and Visio docs as well as when Sharepoint lists were connected to Outlook. Sure enough, the markup for the Duo IFRAME did not contain a src attribute. Once I added one pointing to a blank document, the Duo view started rendering. This is with Office 2013 so the compatibility level of the embedded browser is pretty ancient. The Duo view doesn’t look very nice in it, but it’s functional. Thanks again for the post.