NTLM Authentication issue
The passing of Windows credentials into our homepage using a mozilla.cfg file isn't working properly and I can't figure out why. I know Firefox is reading the config file because the homepage is correctly pointed. However I have edited the following settings to:
lockPref("network.automatic-ntlm-auth-allow-proxies", true); lockPref("network.automatic-ntlm-auth-trusted-uris", "servername.domain.corp"); lockPref("network.negotiate-auth-allow-proxies", true); lockPref("network.negotiate-auth-delegation-uris", "servername.domain.corp");
This is what the settings are for the homepage: //set intranet as home page lockPref("browser.startup.homepage", "https://servername.domain.corp"); lockPref("browser.startup.homepage_override.mstone", "ignore");
When I open firefox it directs to our homepage, however it prompts for credentials. Am I missing something?
All Replies (5)
The NTLM SSP is used in the following situations:
The client is authenticating to a server that doesn't belong to a domain or no Active Directory domain exists (commonly referred to as "workgroup" or "peer-to-peer") The server must have the 'Password protected sharing' feature enabled, which is not enabled by default and which is mutually exclusive with HomeGroup on some versions of Windows. When server and client both belong to the same HomeGroup, a protocol similar to Kerberos, Public Key Cryptography based User to User Authentication will be used instead of NTLM. HomeGroup is probably the easiest way to share resources on a small network, requiring minimal setup, even compared to configuring a few additional users to be able to use Password protected sharing, which may mean it is used much more than Password protected sharing on small networks and home networks. If the server is a device that supports SMB, such as NAS devices and network printers, the NTLM SSP may offer the only supported authentication method. Some implementations of SMB or older distributions of e.g. Samba may cause Windows to negotiate NTLMv1 or even LM for outbound authentication with the SMB server, allowing the device to work although it may be loaded with outdated, insecure software regardless of whether it were a new device. If the server is a member of a domain but Kerberos cannot be used. The client is authenticating to a server using an IP address (and no reverse name resolution is available) The client is authenticating to a server that belongs to a different Active Directory forest that has a legacy NTLM trust instead of a transitive inter-forest trust Where a firewall would otherwise restrict the ports required by Kerberos (typically TCP 88)
Okulungisiwe
We have the windows account setup to authenticate to our intranet page in Chrome. I shouldn't need to adjust the server different for Firefox, should I?
Configuring Firefox to allow silent authentication By default, Firefox supports prompted NTLM authentication. To enable silent NTLM authentication, you first need to configure the browser to trust sites. To enable silent NTLM authentication in Firefox: 1 Open Firefox. 2 Type about:config as the target URL. 3 Type ntlm in the Filter field. 4 Open network.automatic-ntlm-auth.trusted-uris. 5 Type a comma-separated list of partner URLs or domain names as string values, then click OK. For example, type http://server1.mydomain.com,https://server1.mydomain.com then click OK. Note For security reasons, make this list as restrictive as possible. Although the Mozilla Firefox Web browser supports negotiated (SPNEGO) authentication, this support is not enabled by default. To enable silent SPNEGO authentication for the Firefox browser, you first need to configure the browser to trust sites. To enable silent SPNEGO authentication in Firefox: 1 Open Firefox. 2 Type about:config as the target URL. 3 Type neg in the Filter field. 4 Open network.negotiate-auth.delegation-uris, type a comma-separated list of partner URLs or domain names, for example, http://server1.mydomain.com,https://server1.mydomain.com and click OK. Note For security reasons, make this list as restrictive as possible. If your Web server uses SSL, be sure to include https:// in the string. 5 Open network.negotiate-auth.trusted-uris, type a comma-separated list of partner URLs or domain names, for example, http://server1.mydomain.com,https://server1.mydomain.com and click OK.
The URLs that I need are listed in my about:config file and I posted them as contents of my config file in my initial question.
Any other help the community could provide on this one?