Automatic Windows Authentication with Firefox network.automatic-ntlm-auth.trusted-uris

One of the main reasons I don’t use Firefox in an Intranet environment, is due to the logon prompt from IIS Windows Authentication. I keep having problems with IE7 on Vista losing the auto-NTLM auth, where it asks for my password, when it’s supposed to just log me in based on my domain logon! ARgh! So I started Google-ing and found out that Firefox can do this too!!! I never knew that, in all these years of Firefox use!

You have to set which sites are allowed to do this though. But that’s fine, not like I login with NTLM all over the place, just a couple sites from the Intranet. Go to about:config in Firefox, lookup all the “network:auth” items and you’ll see this one:

network.automatic-ntlm-auth.trusted-uris

Open that, and enter the website address. (even port if needed) BAM! That’s it!

For example:

webapp.servername.local:8080

This will use automatic NTLM logons based on your windows logon. But note: I do not know if this works if your machine is not a member of a domain.

Quick update on 3/31/2011:

It was pointed out to me that there is a newer about:config key:
network.negotiate-auth.trusted-uris

I don’t think this is a newer key though, and it appears to have different meaning.  My understanding is that network.negotiate-auth.trusted-uris lists sites that are permitted to use SPNEGO authentication, which is not the same as “permitting trusted sites to use NTLM authentication”, which is was network.automatic-ntlm-auth.trusted-uris is for.  I haven’t tested these settings recently, so I can’t say if they work for sure. But I can say, that I found a site last updated in 2005 that mentioned this second key, so its been around for a while.  I’d just set only the NTLM key and see if it works. If not, try this second key and see.

 

  • http://www.1stbyte.com Greg

    Someone left a comment and I think I bulk deleted it on accident. Whoever you are, sorry about that. If you like, post again, I’ll remove my comment.

    Anyway, your comment on adding multiple sites is a good point. So to add more than one site to this list, just use comma separated list. (site1.com, site2.net, etc)

  • Steve

    Where the heck is about:config? Firefox 2.0.

  • http://www.1stbyte.com Greg

    about:config is like a Mozilla “registry” of settings builtin to it. You get to it by typing that directly in your URL address bar. Like you are browsing to it.

  • http://andreasaronsson.com BOLL

    Oooh, this is nice :) Now I can use Firefox (without IEtab) for our company intranet! Thanks! I always, like you, assumed that automatic Windows Authentication was unavailable for Firefox :O

  • Jonix

    Quite important though, the comma seperated list is actually comma and space seperated. It didn’t work at first, until I put a space after the comma.

  • http://pro-thoughts.blogspot.com/ Vladimir Kelman

    Is there a way to read about:config (network.automatic-ntlm-auth.trusted-uris) settings from JavaScript? (Or maybe from HTTP headers in a server-side code?)

    • http://www.1stbyte.com Greg

      I am not sure if you can do that from Javascript. You might need to Google a bit on that one. I can see that might be handy, but maybe there are security implications allowing access to some of that data in about:config.

      Thanks for the comment! (and question)

  • http://pro-thoughts.blogspot.com/ Vladimir Kelman

    Yes, it probably would be dangerous to be able to modify it, but it would be nice to read it! On my “DualLogin” page (ASP.NET, C#) I display a “Use Windows Credentials” link which allows domain users to login without submitting username/password explicitly (it then verifies automatically passed username against application’s database and uses FormsAuthentication.RedirectFromLoginPage().
    I’m displaying that link only for internal users (IP check) and, currently, only for IE users, because I don’t want that automatic authentication pop-up. If it was possible to read network.automatic-ntlm-auth.trusted-uris settings, I would display this link for some Firefox users as well…

  • Brunis

    I think they changed the name now!
    It seems to be: network.negotiate-auth.trusted-uris

  • Brunis

    I think they changed the name now!
    It seems to be: network.negotiate-auth.trusted-uris

  • Cbextra2

    Thanks for this information. It was very helpful. I made one mistake that took me some time to figure out so I thought I would post it.

    We use SBS 2003. I wanted FF to open our company web page without authentication. Our companyweb address is http://companyweb. It should have been obvious that this was what I should have entered. Instead, I just copied the URL bar contents (http://companyweb/default.aspx) and inserted this instead. The latter will not work!

    Thanks again for the post.

  • johnson dell

    Browser Tech Support For Free @ 1800 935 0537

  • johnson dell

    For Free Browser Tech Support Contact Us: 1-800-935-0537
    http://computertechsupport.us/