How to configure Firefox for NTLM SSO (Single-Sign-On)?

39

15

My computer and user belonging to the domain, I want to connect to my NTLM-SSO-enabled intranet website http://intranet without providing a login/password.

How to do it with Mozilla Firefox?

Nicolas Raoul

Posted 2013-10-24T08:13:34.510

Reputation: 7 766

Answers

44

  • When accessing the relevant site you need to make sure you run Firefox as the Windows user you want to log on as. If you always log onto a workstation as a domain user then there is no issue, otherwise you may need to Shift + right-click the shortcut and choose Run as different user..., or setup a shortcut with your credentials saved
  • In Firefox, type about:config In the address bar and press return.
  • After the config page loads, in the filter box type: network.automatic. You should see a search result of network.automatic-ntlm-auth.trusted-uris
  • Modify network.automatic-ntlm-auth.trusted-uris by double clicking the row and enter the relevent site
  • Multiple sites can be added by comma delimiting them such as: https://your_SecureAuth_FQDN.com, https://www.replacewithyourintranetsite.com
  • Click OK. You may need to restart Firefox for changes to take effect.

This is based on numerous pages I found on the internet, including this Firefox support page

James P

Posted 2013-10-24T08:13:34.510

Reputation: 9 542

1this does not work. i have read the same thing on many pages. is there an update for firefox v30 – shorif2000 – 2014-06-24T15:12:57.010

1

@sharif: Try using the downloading the following add-on: https://addons.mozilla.org/en-US/firefox/addon/integrated-auth-for-firefox/ then click Tools->Integrated Authentication Sites and check the box at the bottom that says Enable pass-through on all non-FQDN sites even if they aren't listed here

– James P – 2014-06-24T15:25:39.323

2

@sharif: The issue that affects Firefox 30 specifically is that insecure v1 of NTLM has been disabled by default. It could be that you need to use the about:config editor to set network.negotiate-auth.allow-insecure-ntlm-v1 to be true. However, NTLMv1 is very old, so I'm not sure if you would be using it. Relevant link: https://developer.mozilla.org/en-US/Firefox/Releases/30/Site_Compatibility

– James P – 2014-06-24T15:34:18.400

1Nothing works so far. Whatever I try from all answers here, FF keeps popping that annoying dialog prompt with (already saved!) username and password. Very un-thought design on FF side, I must say... – Van Jone – 2015-09-09T14:04:30.797

3Depending on the situation it might be worth trying with network.automatic-ntlm-auth.allow-non-fqdn set to true, although for me it still worked when set to false and not specifying a domain. Unfortunately Mozilla have made these settings far too numerous and complex – James P – 2015-09-09T14:39:09.423

17

To authenticate Firefox automatically through a proxy (avoiding NTLM prompt), you have to modify 3 parameters.

  • Open the page about:config (in the address bar)

Add your uris (separate with ,) in the following 3 parameters:

  • network.automatic-ntlm-auth.trusted-uris
  • network.negotiate-auth.delegation-uris
  • network.negotiate-auth.trusted-uris

and change it with the URL of your proxy redirection page, like http://myproxy.local

Modify

  • signon.autologin.proxy to be true

If you do it by script, be careful with the dots (.) and the dash (-) in the parameters. This is often the problem.

Olivier

Posted 2013-10-24T08:13:34.510

Reputation: 179

network.negotiate-auth.trusted-uris works for me. Eg. when https://subdomain1.companydomain.cz/identitity/auth is page where authentication through NTML is done, you have tu put value https://subdomain1.companydomain.cz (ie. protocol and full domain, without path). Note that values are comma (,) separated.

– Michal Bernhard – 2018-04-06T08:27:42.497

Works perfectly for me. My organization uses windows based single sign-on. Tested on firefox v61.0.2 – Adarsh – 2018-08-14T11:30:43.927

4

The suggested solution with network.automatic-ntlm-auth.trusted-uris was not enough in my case. Then I tried the same in network.negotiate-auth.trusted-uris Now it works.

Robert Pagon

Posted 2013-10-24T08:13:34.510

Reputation: 49

3Still not working: FF keeps popping that annoying dialog prompt with already saved username and password – Van Jone – 2015-09-09T14:01:05.560

1

I modified signon.autologin.proxy to be true (by double-clicking on the preference name) and changed network.negotiate-auth.trusted-uris to timecard.example.com and it's working for me, almost too well. When I sign out of the page, it takes me to a sign-in screen, where I'm instantly logged in again. But I can live with that. What is missing is a way to either (a) add another URI with a single click, or (b) use wildcards, such as *.example.com.

samwyse

Posted 2013-10-24T08:13:34.510

Reputation: 133

1

This worked for me:

Change network.automatic-ntlm-auth.allow-non-fqdn to True and signon.autologin.proxy to True

Add yourcompanyname.com in:

network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris

SQLGuru

Posted 2013-10-24T08:13:34.510

Reputation: 11

Asked: 2013-10-24T08:13:34.510

Viewed: 137 571 times

Active: 2019-07-01T20:22:30.087