Advertisement
Having an issue with accessing internal sites and redirects now with HSTS warnings on Edge. Chrome & Firefox.<\/p>\n
Tried accessing the HSTS settings in both edge & chrome and deleting them, as well as pushed GPO to force secure dns is turned off. both tried rebooting, system, and clearing cache and restarting browsers, but still no luck, anyone have any ideas? we don’t have IIS set on our PDC, but running the query from chrome or edge, shows that are root domain is forcing hsts, but can’t figure out how to disable it.<\/p>\n
Tried all of the articles out there, no luck. anyone have any other ideas to help, please?<\/p>","upvoteCount":5,"answerCount":5,"datePublished":"2025-01-21T19:51:25.971Z","author":{"@type":"Person","name":"Daniel9483","url":"https://community.spiceworks.com/u/Daniel9483"},"suggestedAnswer":[{"@type":"Answer","text":"
Having an issue with accessing internal sites and redirects now with HSTS warnings on Edge. Chrome & Firefox.<\/p>\n
Tried accessing the HSTS settings in both edge & chrome and deleting them, as well as pushed GPO to force secure dns is turned off. both tried rebooting, system, and clearing cache and restarting browsers, but still no luck, anyone have any ideas? we don’t have IIS set on our PDC, but running the query from chrome or edge, shows that are root domain is forcing hsts, but can’t figure out how to disable it.<\/p>\n
Tried all of the articles out there, no luck. anyone have any other ideas to help, please?<\/p>","upvoteCount":5,"datePublished":"2025-01-21T19:51:26.061Z","url":"https://community.spiceworks.com/t/need-help-with-hsts-issue-domain-wide/1165475/1","author":{"@type":"Person","name":"Daniel9483","url":"https://community.spiceworks.com/u/Daniel9483"}},{"@type":"Answer","text":"
What changed to enforce this and over 3 different browsers?<\/p>\n
Are all internal sites secure are they all on the same box - perhaps it’s server side, not client.<\/p>","upvoteCount":1,"datePublished":"2025-01-21T19:56:40.626Z","url":"https://community.spiceworks.com/t/need-help-with-hsts-issue-domain-wide/1165475/2","author":{"@type":"Person","name":"Rod-IT","url":"https://community.spiceworks.com/u/Rod-IT"}},{"@type":"Answer","text":"
The web (IIS?) server has to set HSTS to enabled - it cannot happen from the client.<\/p>\n
Since the server (or WAF) has it set, clearing from the client will do nothing - the next time you go back to the site it will get the (bad) HSTS header again and the problem recurs.<\/p>\n
HSTS should not be enabled without a full contingency plan in place (else your page becomes inaccessible), and full understanding of the implications.<\/p>","upvoteCount":2,"datePublished":"2025-01-21T22:24:45.102Z","url":"https://community.spiceworks.com/t/need-help-with-hsts-issue-domain-wide/1165475/3","author":{"@type":"Person","name":"phildrew","url":"https://community.spiceworks.com/u/phildrew"}},{"@type":"Answer","text":"
The most likely explanation is that HSTS was turned on for your public website. And when doing so, subdomains was selected.<\/p>\n
You also have your internal domain name the same as public.<\/p>\n
So, when you go to www.MyCorp.com<\/a> it loads the HSTS header, and says that any subdomains/sites (*.MyCorp.com) sites must use the published cert.<\/p>\n