Firefox and NTLM authentication

As is common to many large organizations, my employer has many sites that ask for your Windows logon credentials, using a process often referred to as “NTLM authentication”. On Windows, the idea is that the credentials will be passed through to the requester and you won’t have to enter them yourself. Firefox can support but does not by default allow this out of security concerns, but annoyingly does not provide a GUI way to change it. Instead, you will need use the infamous about:config page to fix this.

If you’ve never used it before, you simply open a tab and type about:config where you would normally enter a web site address. You may get a warning; that’s ok, just click the I’ll be careful, I promise!! button. You’ll then get a slew of options that control pretty much everything about Firefox. Fortunately, there is that Filter text box – enter ntlm in there. You should now see an entry below named network.automatic-ntlm-auth.trusted-uris; double-click that. Firefox checks this string for a match with the host name portion of the site wanting to authenticate – that’s the part between the http:// or https:// and the first solitary /. You can have multiple sites separated by a comma and space. So let’s say you have two internal sites, https://first.example.com/ and http://last.example.com/. In the text box, you would enter first.example.com, last.example.com. Unfortunately, as far as I know there is no way to specify a wild card such that everything ending in say example.com authenticates.  Update: actually, I just experimented with this a bit. It turns out it only appears to match a substring. So if you use just example.com it would match both first.example.com and last.example.com.

When you have what you need in the text box, click OK. If you want to test it out but have already authenticated to the site, close Firefox and re-open it. Just closing the tab will likely not test it, as Firefox will cache the credentials you provided when prompted. When you re-open the site, you should no longer be prompted to enter your credentials.

Advertisements
This entry was posted in Firefox. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s