How to configure Firefox for NTLM SSO (Single-Sign-On)?
Solution 1
- When accessing the relevant site you need to make sure you run Firefox as the Windows user you want to log on as. If you always log onto a workstation as a domain user then there is no issue, otherwise you may need to Shift + right-click the shortcut and choose Run as different user..., or setup a shortcut with your credentials saved
- In Firefox, type
about:config
In the address bar and press return. - After the config page loads, in the filter box type:
network.automatic
. You should see a search result ofnetwork.automatic-ntlm-auth.trusted-uris
- Modify
network.automatic-ntlm-auth.trusted-uris
by double clicking the row and enter the relevent site - Multiple sites can be added by comma delimiting them such as:
https://your_SecureAuth_FQDN.com, https://www.replacewithyourintranetsite.com
- Click OK. You may need to restart Firefox for changes to take effect.
This is based on numerous pages I found on the internet, including this Firefox support page
Solution 2
To authenticate Firefox automatically through a proxy (avoiding NTLM prompt), you have to modify 3 parameters.
- Open the page about:config (in the address bar)
Add your uris (separate with ,
) in the following 3 parameters:
network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris
and change it with the URL of your proxy redirection page, like http://myproxy.local
Modify
-
signon.autologin.proxy
to betrue
If you do it by script, be careful with the dots (.
) and the dash (-
) in the parameters. This is often the problem.
Solution 3
The suggested solution with network.automatic-ntlm-auth.trusted-uris was not enough in my case. Then I tried the same in network.negotiate-auth.trusted-uris Now it works.
Solution 4
This worked for me:
Change network.automatic-ntlm-auth.allow-non-fqdn to True and signon.autologin.proxy to True
Add yourcompanyname.com in:
network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris
Solution 5
I modified signon.autologin.proxy to be true (by double-clicking on the preference name) and changed network.negotiate-auth.trusted-uris to timecard.example.com and it's working for me, almost too well. When I sign out of the page, it takes me to a sign-in screen, where I'm instantly logged in again. But I can live with that. What is missing is a way to either (a) add another URI with a single click, or (b) use wildcards, such as *.example.com.
Related videos on Youtube
![Nicolas Raoul](https://i.stack.imgur.com/F5gLZ.png?s=256&g=1)
Nicolas Raoul
I am Nicolas Raoul, IT consultant in Tokyo. Feel free to copy/paste the source code from my StackExchange answers, I release it to the public domain.
Updated on September 18, 2022Comments
-
Nicolas Raoul almost 2 years
My computer and user belonging to the domain, I want to connect to my NTLM-SSO-enabled intranet website
http://intranet
without providing a login/password.How to do it with Mozilla Firefox?
-
shorif2000 about 10 yearsthis does not work. i have read the same thing on many pages. is there an update for firefox v30
-
James P about 10 years@sharif: Try using the downloading the following add-on: addons.mozilla.org/en-US/firefox/addon/… then click Tools->Integrated Authentication Sites and check the box at the bottom that says Enable pass-through on all non-FQDN sites even if they aren't listed here
-
James P about 10 years@sharif: The issue that affects Firefox 30 specifically is that insecure v1 of NTLM has been disabled by default. It could be that you need to use the about:config editor to set
network.negotiate-auth.allow-insecure-ntlm-v1
to be true. However, NTLMv1 is very old, so I'm not sure if you would be using it. Relevant link: developer.mozilla.org/en-US/Firefox/Releases/30/… -
Van Jone almost 9 yearsStill not working: FF keeps popping that annoying dialog prompt with already saved username and password
-
Van Jone almost 9 yearsNothing works so far. Whatever I try from all answers here, FF keeps popping that annoying dialog prompt with (already saved!) username and password. Very un-thought design on FF side, I must say...
-
James P almost 9 yearsDepending on the situation it might be worth trying with
network.automatic-ntlm-auth.allow-non-fqdn
set to true, although for me it still worked when set to false and not specifying a domain. Unfortunately Mozilla have made these settings far too numerous and complex -
Michal Bernhard about 6 yearsnetwork.negotiate-auth.trusted-uris works for me. Eg. when subdomain1.companydomain.cz/identitity/auth is page where authentication through NTML is done, you have tu put value subdomain1.companydomain.cz (ie. protocol and full domain, without path). Note that values are comma (,) separated.
-
Adarsh almost 6 yearsWorks perfectly for me. My organization uses windows based single sign-on. Tested on firefox v61.0.2