0

We are trying to get an application server that is running apache2 on centos 5.1 to use NTLM to provide SSO to a number of applications.

We can get SSO to work with IE, however SSO fails with firefox. We have updated the NTLM trust entry in about:config in firefox. However this still fails.

Our current apache config looks like this:

Alias /someapp "/opt/someapp/public"

<Directory "/opt/someapp/public/">
   PerlAuthenHandler Apache2::AuthenNTLM
   AuthType ntlm,basic
   AuthName Basic
   require valid-user
   PerlAddVar ntdomain "MYDOMAIN primayad backupad"
   PerlSetVar defaultdomain MYDOMAIN
   PerlSetVar fallbackdomain MYDOMAIN
   PerlSetVar splitdomainprefix  1
   AllowOverride All
   Order allow,deny
   Allow from all
   PerlSetVar ntlmdebug 3
   #PerlSetVar ntlmauthoritative off
   PerlsetVar basicauth off
</Directory>

Any ideas why this would work for IE, but firefox gets a dialog box prompting for user authentication??

Thanks,

Grant

Grant Collins
  • 159
  • 2
  • 9
  • If you remove the NTLM trust entry from Firefox, do you get prompted for a password, if so does entering your domain login (in the form "domain\username") and password work? – GAThrawn Oct 22 '09 at 12:02
  • Just tried this by removing the NTLM trust entry from firefox and entered in mdomain\username and it went in fine. If do it as just as "username" again, it works fine. Any Ideas?? – Grant Collins Oct 22 '09 at 13:11
  • Want to add that originally we wanted to use kerberos but for some reason half of the clients (Win XP) were defaulting to NTLM, that is why we are not looking at this for SSO – Grant Collins Oct 22 '09 at 13:40

1 Answers1

2

That is because by default IE does global NTLM authentication, Firefox went the other way and only attempts NTLM authentication when it is explicitly configured to do so and otherwise ignores SPNEGO challenges.

You need to open about:config in Firefox and filter to find network.automatic-ntlm-auth.trusted-uris which by default will have no values. You need to put in hostnames that match the hosts you want to perform NTLM authentication. I've read other sites that suggest putting fully qualified URLs but I've been fine using .domain.example.com for our internal Active Directory domain controlled hosts.

One caveat is that this will work for Firefox on a Windows machine but I have not had it succeed on a Linux machine even with it being joined to the AD domain as a member.

Jeremy Bouse
  • 11,241
  • 2
  • 27
  • 40