Windows Domain Authentication with Firefox

We have many internal web sites on our domain:

a.blah.com
b.bhah.com
c.blah.com

IE authenticates automatically using the currently signed in domain user but fire fox pops up a login box, sometimes multiple times per page load if assets on different internal sites are referenced. I've tried modifying about:config as suggest by this post but that didn't resolve the issue.

Does anyone have any other suggestions about how to get firefox to authenticate using the signed in domain user? I'm currently using the IETab firefox addon to load these internal pages using the IE engine but I'd prefer a simpler solution...

Danielb

Posted 2009-06-05T20:47:40.780

Reputation: 619

Firefox can apparently do the authentication, but I've never been able to get it to work so I just use IETab too. – None – 2009-06-05T20:51:58.590

Answers

I think this will cover you:

http://markmonica.com/2007/11/20/firefox-and-integrated-windows-authentication/

How to configure Firefox

Open Firefox
In the address bar type: about:config
Firefox3.x and later requires you to agree that you will proceed with caution.
After the config page loads, in the filter box type: network.automatic
- Modify network.automatic-ntlm-auth.trusted-uris by double clicking the row and enter http://www.replacewithyoursite.com
- Multiple sites can be added by comma delimiting them such as http://www.replacewithyoursite.com, http://www.replacewithyourintranetsite.com

brendan

Posted 2009-06-05T20:47:40.780

Reputation: 446

If you are on a network using Kerberos for authentication, you should try the following.

Open about:config in Firefox and navigate via the filter 'network.negotiate-auth'. You will see a handful of settings related to Kerberos / GSSAPI Authentication.

The two of interest will be 'network.negotiate-auth.delegation-uris' and 'network.negotiate-auth.trusted-uris'. It sounds like all of the sites where you need to authenticate are under one domain, so the following settings should work for you.

network.negotiate-auth.delegation-uris => http:// network.negotiate-auth.trusted-uris => blah.com

If you need to set multiple sites/domains, then you would modify the latter to be the following.

network.negotiate-auth.trusted-uris => a.blah.com,b.blah.com,c.blah.com

One caveat that you should beware is the delegation uri should ideally be using https instead of http. If you are in a closed private network this typically not a big deal, but you'll be opening yourself up to man-in-the-middle exploits against sites that are accessed over the internet. If you want both allowed, you can use the following.

network.negotiate-auth.delegation-uris => http://,https://

Regarding the comment by brendan, the values for network.negotiate-auth.trusted-uris are the same as you would set for network.automatic-ntlm-auth.trusted-uris to enable NTLM. On most servers using windows 2003 or later; you will see that Negotiate is attempted before NTLM.

meklarian

Posted 2009-06-05T20:47:40.780

Reputation: 151

-1

If you're not logged in as the Windows domain user, Firefox has no way to set a generic login for, say, *.blah.com.

Tracked as Mozilla Bug 589628.

chronospoon

Posted 2009-06-05T20:47:40.780

Reputation: 154