How to configure Firefox for NTLM SSO (Single-Sign-On)?
My computer and user belonging to the domain, I want to connect to my NTLM-SSO-enabled intranet website http://intranet
without providing a login/password.
How to do it with Mozilla Firefox?
Solution 1:
- When accessing the relevant site you need to make sure you run Firefox as the Windows user you want to log on as. If you always log onto a workstation as a domain user then there is no issue, otherwise you may need to Shift + right-click the shortcut and choose Run as different user..., or setup a shortcut with your credentials saved
- In Firefox, type
about:config
In the address bar and press return. - After the config page loads, in the filter box type:
network.automatic
. You should see a search result ofnetwork.automatic-ntlm-auth.trusted-uris
- Modify
network.automatic-ntlm-auth.trusted-uris
by double clicking the row and enter the relevent site - Multiple sites can be added by comma delimiting them such as:
https://your_SecureAuth_FQDN.com, https://www.replacewithyourintranetsite.com
- Click OK. You may need to restart Firefox for changes to take effect.
This is based on numerous pages I found on the internet, including this Firefox support page
Solution 2:
To authenticate Firefox automatically through a proxy (avoiding NTLM prompt), you have to modify 3 parameters.
- Open the page about:config (in the address bar)
Add your uris (separate with ,
) in the following 3 parameters:
network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris
and change it with the URL of your proxy redirection page, like http://myproxy.local
Modify
-
signon.autologin.proxy
to betrue
If you do it by script, be careful with the dots (.
) and the dash (-
) in the parameters. This is often the problem.
Solution 3:
The suggested solution with network.automatic-ntlm-auth.trusted-uris was not enough in my case. Then I tried the same in network.negotiate-auth.trusted-uris Now it works.
Solution 4:
This worked for me:
Change network.automatic-ntlm-auth.allow-non-fqdn to True and signon.autologin.proxy to True
Add yourcompanyname.com in:
network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris
Solution 5:
I modified signon.autologin.proxy to be true (by double-clicking on the preference name) and changed network.negotiate-auth.trusted-uris to timecard.example.com and it's working for me, almost too well. When I sign out of the page, it takes me to a sign-in screen, where I'm instantly logged in again. But I can live with that. What is missing is a way to either (a) add another URI with a single click, or (b) use wildcards, such as *.example.com.