We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

NTLM Authentication issue

more options

The passing of Windows credentials into our homepage using a mozilla.cfg file isn't working properly and I can't figure out why. I know Firefox is reading the config file because the homepage is correctly pointed. However I have edited the following settings to:

lockPref("network.automatic-ntlm-auth-allow-proxies", true); lockPref("network.automatic-ntlm-auth-trusted-uris", "servername.domain.corp"); lockPref("network.negotiate-auth-allow-proxies", true); lockPref("network.negotiate-auth-delegation-uris", "servername.domain.corp");

This is what the settings are for the homepage: //set intranet as home page lockPref("browser.startup.homepage", "https://servername.domain.corp"); lockPref("browser.startup.homepage_override.mstone", "ignore");

When I open firefox it directs to our homepage, however it prompts for credentials. Am I missing something?

The passing of Windows credentials into our homepage using a mozilla.cfg file isn't working properly and I can't figure out why. I know Firefox is reading the config file because the homepage is correctly pointed. However I have edited the following settings to: lockPref("network.automatic-ntlm-auth-allow-proxies", true); lockPref("network.automatic-ntlm-auth-trusted-uris", "servername.domain.corp"); lockPref("network.negotiate-auth-allow-proxies", true); lockPref("network.negotiate-auth-delegation-uris", "servername.domain.corp"); This is what the settings are for the homepage: //set intranet as home page lockPref("browser.startup.homepage", "https://servername.domain.corp"); lockPref("browser.startup.homepage_override.mstone", "ignore"); When I open firefox it directs to our homepage, however it prompts for credentials. Am I missing something?

All Replies (5)

more options

The NTLM SSP is used in the following situations:

The client is authenticating to a server that doesn't belong to a domain or no Active Directory domain exists (commonly referred to as "workgroup" or "peer-to-peer") The server must have the 'Password protected sharing' feature enabled, which is not enabled by default and which is mutually exclusive with HomeGroup on some versions of Windows. When server and client both belong to the same HomeGroup, a protocol similar to Kerberos, Public Key Cryptography based User to User Authentication will be used instead of NTLM. HomeGroup is probably the easiest way to share resources on a small network, requiring minimal setup, even compared to configuring a few additional users to be able to use Password protected sharing, which may mean it is used much more than Password protected sharing on small networks and home networks. If the server is a device that supports SMB, such as NAS devices and network printers, the NTLM SSP may offer the only supported authentication method. Some implementations of SMB or older distributions of e.g. Samba may cause Windows to negotiate NTLMv1 or even LM for outbound authentication with the SMB server, allowing the device to work although it may be loaded with outdated, insecure software regardless of whether it were a new device. If the server is a member of a domain but Kerberos cannot be used. The client is authenticating to a server using an IP address (and no reverse name resolution is available) The client is authenticating to a server that belongs to a different Active Directory forest that has a legacy NTLM trust instead of a transitive inter-forest trust Where a firewall would otherwise restrict the ports required by Kerberos (typically TCP 88)

Modified by xXxY34R_xXx_Z3R0xXx

more options

We have the windows account setup to authenticate to our intranet page in Chrome. I shouldn't need to adjust the server different for Firefox, should I?

more options

Configuring Firefox to allow silent authentication By default, Firefox supports prompted NTLM authentication. To enable silent NTLM authentication, you first need to configure the browser to trust sites. To enable silent NTLM authentication in Firefox: 1 Open Firefox. 2 Type about:config as the target URL. 3 Type ntlm in the Filter field. 4 Open network.automatic-ntlm-auth.trusted-uris. 5 Type a comma-separated list of partner URLs or domain names as string values, then click OK. For example, type http://server1.mydomain.com,https://server1.mydomain.com then click OK. Note For security reasons, make this list as restrictive as possible. Although the Mozilla Firefox Web browser supports negotiated (SPNEGO) authentication, this support is not enabled by default. To enable silent SPNEGO authentication for the Firefox browser, you first need to configure the browser to trust sites. To enable silent SPNEGO authentication in Firefox: 1 Open Firefox. 2 Type about:config as the target URL. 3 Type neg in the Filter field. 4 Open network.negotiate-auth.delegation-uris, type a comma-separated list of partner URLs or domain names, for example, http://server1.mydomain.com,https://server1.mydomain.com and click OK. Note For security reasons, make this list as restrictive as possible. If your Web server uses SSL, be sure to include https:// in the string. 5 Open network.negotiate-auth.trusted-uris, type a comma-separated list of partner URLs or domain names, for example, http://server1.mydomain.com,https://server1.mydomain.com and click OK.

more options

The URLs that I need are listed in my about:config file and I posted them as contents of my config file in my initial question.

more options

Any other help the community could provide on this one?