Mozilla Firefox Single Sign On
28/05/2012 Article
One of the projects I am working on is to get a multi-tenanted URL filtering proxy to work. That in itself has not been particularly difficult. It’s just a case of knowing where to find the various Linux config files in the product we have chosen: NetSweeper. This project is now fully load-balanced with high availability (HA) failover and works with Internet Explorer and a few other mainstream browsers perfectly. It even does Man-In-The-Middle style SSL intercepting to make sure it filters as much as possible.
Mozilla Firefox has been my downfall on this project. Usually, I hold Firefox high, but for all its greatness, it sucks at listening to the operating system for proxy settings and using Window’s built-in authentication methods.
There will be another article in a couple of weeks or so when I next look at this project about how I bully Firefox into doing SSL stuff. Also, forcing it to use Proxy settings but at the moment I haven’t had time to work on that. What I have done though is get Firefox to work with Windows Single Sign On (SSO).
Basically you can manually set sites to which you want to use SSO. Simply, by visiting a special URL in the browser:
about:config
First of all you get a warning telling you that you need to be careful. But then you get a very long list of configurable variables. For SSO you need the variable called:
network.automatic-ntlm-auth.trusted-uris
(use the filter bar at the top and search for ntlm)
If you double click this setting you can url’s to which you want to enable SSO like so:
http://internalserver or http://www.google.co.uk
If you need more than one URL, just seperate them by a comma.
Now that’s all well and good. But the fact is that in a domain situation you probably need to do this on hundreds of computers. I found a vbs script online that claimed to fix this problem and it works very well with only one problem. Because some of our users have non-standard profile locations we needed to modify it a little. You can find our version here:
Firefox NTLM Authentication / Single Sign On
Please note, to put that into production you will need to rename the extension to .vbs, put it in a network share and play with group policies. That bit is down to you!
I wish I could take credit for this script but I found the original online and then one of my colleagues had a bored 10 minutes so he modified the script for me.
Edit (20151017): The vbs script I referenced is no longer available, here is a Google Cache copy of the article.
Learn how YGHT can help you increase your cybersecurity
