Windows Domain Authentication with Firefox

We have many internal web sites on our domain:

  • a.blah.com
  • b.bhah.com
  • c.blah.com

IE authenticates automatically using the currently signed in domain user but fire fox pops up a login box, sometimes multiple times per page load if assets on different internal sites are referenced. I've tried modifying about:config as suggest by this post but that didn't resolve the issue.

Does anyone have any other suggestions about how to get firefox to authenticate using the signed in domain user? I'm currently using the IETab firefox addon to load these internal pages using the IE engine but I'd prefer a simpler solution...


I think this will cover you:

http://markmonica.com/2007/11/20/firefox-and-integrated-windows-authentication/

How to configure Firefox

  1. Open Firefox
  2. In the address bar type: about:config
  3. Firefox3.x and later requires you to agree that you will proceed with caution.
  4. After the config page loads, in the filter box type: network.automatic
    • Modify network.automatic-ntlm-auth.trusted-uris by double clicking the row and enter http://www.replacewithyoursite.com
    • Multiple sites can be added by comma delimiting them such as http://www.replacewithyoursite.com, http://www.replacewithyourintranetsite.com

If you are on a network using Kerberos for authentication, you should try the following.

Open about:config in Firefox and navigate via the filter 'network.negotiate-auth'. You will see a handful of settings related to Kerberos / GSSAPI Authentication.

The two of interest will be 'network.negotiate-auth.delegation-uris' and 'network.negotiate-auth.trusted-uris'. It sounds like all of the sites where you need to authenticate are under one domain, so the following settings should work for you.

network.negotiate-auth.delegation-uris => http:// network.negotiate-auth.trusted-uris => blah.com

If you need to set multiple sites/domains, then you would modify the latter to be the following.

network.negotiate-auth.trusted-uris => a.blah.com,b.blah.com,c.blah.com

One caveat that you should beware is the delegation uri should ideally be using https instead of http. If you are in a closed private network this typically not a big deal, but you'll be opening yourself up to man-in-the-middle exploits against sites that are accessed over the internet. If you want both allowed, you can use the following.

network.negotiate-auth.delegation-uris => http://,https://

Regarding the comment by brendan, the values for network.negotiate-auth.trusted-uris are the same as you would set for network.automatic-ntlm-auth.trusted-uris to enable NTLM. On most servers using windows 2003 or later; you will see that Negotiate is attempted before NTLM.