Thursday, December 30, 2010

Integrated Windows Authentication and FireFox

Your manager decides to support FireFox in addition to IE for all intranet applications.

"That should be easy. You develop cross-browser anyway. Right?"
Well, yes and no.

Your Html, Css and JavaScript are only part of the picture.

Browser settings are another creature altogether, and when you're working with Kerberos authentication, browser settings are critical to:

  •  pass the users credentials without prompting him or her to sign in (single sign-on) and

  • allow impersonation and delegation of users credentials from the web server to the database server (double hop).



FireFox Settings - Cheat Sheet

There are 5 settings you need to change, all accessible when you type about:config in the address bar:

setting: network.negotiate-auth.delegation-uris

value: mySite.com,myotherSite.com

setting: network.negotiate-auth.trusted-uris

value: mySite.com,myotherSite.com

setting: network.automatic-ntlm-auth.trusted-uris

value: mySite.com,myotherSite.com

setting: network.automatic-ntlm-auth.allow-proxies

value:true

setting: network.negotiate-auth.allow-proxies

value: true

Piece of cake.

Now for the hard part: figuring out how to change the FireFox settings for your thousands of users...

7 comments:

BLOW said...

Sir, the 4th and 5th steps are the same,is it a typo or they are really meant to be the same

Daniel said...

@BLOW: Thanks for picking up on that. The last one should read:
network.negotiate-auth.allow-proxies
(corrected above)

bbbush said...

What's the purpose of "signon.autologin.proxy" then?

jawahar said...

jawahar: (jawaharraj89@gmail.com)
This is not working for in fire fox.please
guide me to set this

Florin Jurcovici said...

Struggling with this right now. Firefox is stubborn, and in spite of setting
everything right, it refuses to send a Kerberos token.

But I remember to have read a post today somewhere about distributing this
to all users in your org: the options are in a .js file in the Firefox kit for Windows.
There should be a way to extract the relevant file from there, modify it, then put
it back, and have all users use this kit for update/install.

Victoria - Ozarks Crescent Mural said...

OMIGOSH! Thank you so much! I kept getting an HTTP authentication error for my work website in Firefox, although I could pull it up in Chrome and Opera. Drove me crazy I couldn't access it from Firefox. Thanks to your instructions, it now opens! I was so sick of seeing that 401 error page. THANK YOU!

Daniel said...

@Victoria: You're welcome!