How to configure Firefox for NTLM SSO (Single-Sign-On)?

My computer and user belonging to the domain, I want to connect to my NTLM-SSO-enabled intranet website http://intranet without providing a login/password.

How to do it with Mozilla Firefox?


Solution 1:

  • When accessing the relevant site you need to make sure you run Firefox as the Windows user you want to log on as. If you always log onto a workstation as a domain user then there is no issue, otherwise you may need to Shift + right-click the shortcut and choose Run as different user..., or setup a shortcut with your credentials saved
  • In Firefox, type about:config In the address bar and press return.
  • After the config page loads, in the filter box type: network.automatic. You should see a search result of network.automatic-ntlm-auth.trusted-uris
  • Modify network.automatic-ntlm-auth.trusted-uris by double clicking the row and enter the relevent site
  • Multiple sites can be added by comma delimiting them such as: https://your_SecureAuth_FQDN.com, https://www.replacewithyourintranetsite.com
  • Click OK. You may need to restart Firefox for changes to take effect.

This is based on numerous pages I found on the internet, including this Firefox support page

Solution 2:

To authenticate Firefox automatically through a proxy (avoiding NTLM prompt), you have to modify 3 parameters.

  • Open the page about:config (in the address bar)

Add your uris (separate with ,) in the following 3 parameters:

  • network.automatic-ntlm-auth.trusted-uris
  • network.negotiate-auth.delegation-uris
  • network.negotiate-auth.trusted-uris

and change it with the URL of your proxy redirection page, like http://myproxy.local

Modify

  • signon.autologin.proxy to be true

If you do it by script, be careful with the dots (.) and the dash (-) in the parameters. This is often the problem.

Solution 3:

The suggested solution with network.automatic-ntlm-auth.trusted-uris was not enough in my case. Then I tried the same in network.negotiate-auth.trusted-uris Now it works.

Solution 4:

This worked for me:

Change network.automatic-ntlm-auth.allow-non-fqdn to True and signon.autologin.proxy to True

Add yourcompanyname.com in:

network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris

Solution 5:

I modified signon.autologin.proxy to be true (by double-clicking on the preference name) and changed network.negotiate-auth.trusted-uris to timecard.example.com and it's working for me, almost too well. When I sign out of the page, it takes me to a sign-in screen, where I'm instantly logged in again. But I can live with that. What is missing is a way to either (a) add another URI with a single click, or (b) use wildcards, such as *.example.com.