Mozilla Firefox Single Sign On

Posted on 2012/05/28 by Felix

One of the projects I am working on is to get a multi-tenanted URL filtering proxy to work. That in itself has not been particularly difficult. It’s just a case of knowing where to find the various Linux config files in the product we have chosen: NetSweeper.  This project is now fully load-balanced with high availability (HA) failover and works with Internet Explorer and a few other mainstream browsers perfectly.  It even does Man-In-The-Middle style SSL intercepting to make sure it filters as much as possible.

Mozilla Firefox has been my downfall on this project.  Usually, I hold Firefox high, but for all its greatness, it sucks at listening to the operating system for proxy settings and using Window’s built-in authentication methods. 

There will be another article in a couple of weeks or so when I next look at this project about how I bully Firefox into doing SSL stuff. Also, forcing it to use Proxy settings but at the moment I haven’t had time to work on that.  What I have done though is get Firefox to work with Windows Single Sign On (SSO).

Basically you can manually set sites to which you want to use SSO. Simply, by visiting a special URL in the browser:

about:config

First of all you get a warning telling you that you need to be careful.  But then you get a very long list of configurable variables.  For SSO you need the variable called:

network.automatic-ntlm-auth.trusted-uris

(use the filter bar at the top and search for ntlm)

If you double click this setting you can url’s to which you want to enable SSO like so:

http://internalserver     or     http://www.google.co.uk

If you need more than one URL, just seperate them by a comma.

Now that’s all well and good. But the fact is that in a domain situation you probably need to do this on hundreds of computers.  I found a vbs script online that claimed to fix this problem and it works very well with only one problem.  Because some of our users have non-standard profile locations we needed to modify it a little.  You can find our version here:

Firefox NTLM Authentication / Single Sign On

Please note, to put that into production you will need to rename the extension to .vbs, put it in a network share and play with group policies.  That bit is down to you!

I wish I could take credit for this script but I found the original online and then one of my colleagues had a bored 10 minutes so he modified the script for me.

Edit (20151017): The vbs script I referenced is no longer available, here is a Google Cache copy of the article.

Learn how YGHT can help you increase your cybersecurity

Contact YGHT
This entry was posted in Lessons Learnt, Projects, Useful Scripts & Applications. Bookmark the permalink.