Log-in with a certificate is not possible

With Firefox 115.14.0esr, 115.2esr and 128.xesr we can`t log in into a company website with a certificate. After the certificate login we end up on the WebSeal again. Htt… (read more)

With Firefox 115.14.0esr, 115.2esr and 128.xesr we can`t log in into a company website with a certificate. After the certificate login we end up on the WebSeal again. Http status 302 for pkmslogin.form and pkmscertpromptstagen is called ~12x repeatedly with 302 error each time and then jump back to the login screen.

Asked by desislava.ivanova 2 weeks ago

Last reply by Mike Kaply 1 week ago

Upgrading to Firefox ESR 128.2.0 from 115.15.0

Hi, Looking to upgrade our org to ESR 128.2.0 due to compatibility issues - most notably, embedded PDFs not loading due to Promise.withResolvers() not being implemented… (read more)

Hi,

Looking to upgrade our org to ESR 128.2.0 due to compatibility issues - most notably, embedded PDFs not loading due to Promise.withResolvers() not being implemented on versions prior to 121.

Curious to know if there are any issues or concerns with upgrading manually/pushing this version out - would like to ensure we don't cause further issues in attempting to resolve one.

Asked by ngreyling 1 week ago

Last reply by Mike Kaply 1 week ago

ограничения в приеме писем

Добрый день! Есть проблема в получении определенных писем. От отправителя один вид писем приходит (общение с тех.поддержкой), а автоматическая рассылка кодов нет. Может л… (read more)

Добрый день! Есть проблема в получении определенных писем. От отправителя один вид писем приходит (общение с тех.поддержкой), а автоматическая рассылка кодов нет. Может ли быть у меня проблема в получении писем? какое то ограничение или запрет? В папке спам письма так же проверяю

Asked by biv 1 week ago

Last reply by TyDraniu 1 week ago

Support ECH or ESNI in 128.2.0esr

Hello, I installed Firefox 128.2.0esr. I set the next parameters in GPO for settings DNSOverHTTPS: "DNSOverHTTPS": { "Enabled": true, "Provi… (read more)

Hello,

I installed Firefox 128.2.0esr. I set the next parameters in GPO for settings DNSOverHTTPS: "DNSOverHTTPS": {

                      "Enabled":  true,

"ProviderURL": "https://safe.dot.dns.yandex.net/dns-query", "Locked": true, "Fallback": true }. But when checking via https://www.cloudflare.com/ru-ru/ssl/encrypted-sni/#results I get (screenshot in attachment). As you can see from the screenshot, DNS and SNI did not receive the coveted check marks. Secure DNS We weren’t able to detect whether you were using a DNS resolver over secure transport. Contact your DNS provider or try using 1.1.1.1 for fast & secure DNS. DNSSEC Attackers cannot trick you into visiting a fake website by manipulating DNS responses for domains that are outside their control. TLS 1.3 Nobody snooping on the wire can see the certificate of the website you made a TLS connection to. Secure SNI Anybody listening on the wire can see the exact website you made a TLS connection to.

In my browser / about:config: network.trr.mode = 2 network.trr.uri = https://safe.dot.dns.yandex.net/dns-query

In 128.2.0esr there is no protection against ESNI interceptions and ECH is enabled by default? Or is the problem that the DNS provider does not support the technology from Mozilla? Or what other settings we need use (via GPO)?

Thank you.

Asked by Mark Talala 1 month ago

Last reply by Valentin 3 weeks ago

Kerberos authentication working for Chrome, Edge, Opera, and Brave, but not Firefox

Firefox (129.0.2) displays "401 - Unauthorized: Access is denied due to invalid credentials" (see attached image) I have tried various combinations of setting and not se… (read more)

Firefox (129.0.2) displays "401 - Unauthorized: Access is denied due to invalid credentials" (see attached image)

I have tried various combinations of setting and not setting the following in Firefox:

  • network.negotiate-auth.trusted-uris
  • network.negotiate-auth.delegation-uris
  • network.auth.use-sspi

For the URI settings I have tried both .domainname.domainextension and https://servicename.domainname.domainextension

In Windows 10 Control Panel -> Internet Options, the site is in "Trusted sites" using a domain wildcard, and also "Local intranet" and both "Automatic logon" and "Enable Integrated Windows Authentication" are enabled. I suspect those setting aren't relevant since other browsers are authenticating without error or prompt, but calling this out to show that I've covered that base.

The web service is served by IIS 10.0 on Windows Server 2022 and the authentication provider list only includes Negotiate, but I don't believe this issue has anything to do with IIS or its configuration as, again, other browsers are authenticating without error or prompt.

Anything else to check?

Thank you for any guidance you can offer.

Asked by bryan 1 month ago

Last reply by Mike Kaply 1 month ago

ADMX Help

Hello, I am reaching out to gain information on ADMX GPO policies. We are retiring Policy Pak which used to add all the policies and secure Firefox for Enterprise. Wha… (read more)

Hello,

I am reaching out to gain information on ADMX GPO policies. We are retiring Policy Pak which used to add all the policies and secure Firefox for Enterprise. What we noticed is that Policy Pak used the app set to apply these policies and we are noticing that native GPO's for the most part to match the Policy Pak policies is not as accurate for GPO's My ask here is there any Most Viable Product suggestions to apply Native GPO's for securing Firefox.

Asked by chris_weiderhold 2 months ago

Last reply by Mike Kaply 1 month ago

Require device sign in to fill and manage passwords BUT with GPO?

I am working on deploying Firefox with a GPO and I noticed that a saved password can be easily viewed just by going into the password manager. I found a way to disable th… (read more)

I am working on deploying Firefox with a GPO and I noticed that a saved password can be easily viewed just by going into the password manager. I found a way to disable the password manager all together, but then you can't save passwords. I am look for a way just to Require device sign in to fill and manage passwords as it says so its not just clicking the eyeball to see the password. I saw this article ( https://support.mozilla.org/en-US/kb/firefox-password-authentification-prompt ) which is how I got the description for this and that seems to be exactly what I want, But I cannot find this setting anywhere in the GPO. Anyone know where it is OR perhaps maybe you could add it?

Asked by awebber1 1 month ago

Last reply by cor-el 1 month ago

Locking down firefox for primary school

Hi All, I'm using Firefox on 24 PC's in a primary school computer Lab, I have had reports of students installing extensions and plugins that i wish to stop, also i've ha… (read more)

Hi All,

I'm using Firefox on 24 PC's in a primary school computer Lab, I have had reports of students installing extensions and plugins that i wish to stop, also i've had issues with students not signing out of their email and other students gaining access.

Im looking for solutions for the following and was hoping someone could point me in the right direction -

1. Disabling the installations of extensions and plugins. 2. Clearing browsing history/logging out of any accounts. 3. Locking settings so students can't change settings.

Any help would be greatly appreciated. Adam

Asked by adam183 2 months ago

Last reply by James 1 month ago

How to update Firefox ESR 115.14.0 to 128.1.0?

I'm a newbie using Debian and Deb 12 ships with Firefox ESR and I've decided to stick with it instead of the regular release, 'cause it breaks some extensions I have. How… (read more)

I'm a newbie using Debian and Deb 12 ships with Firefox ESR and I've decided to stick with it instead of the regular release, 'cause it breaks some extensions I have. However, I want to upgrade to the latest ESR version, how do I do it? I tried going to (https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr), but the file for linux 64 bit is a .tar.bz2 file, which I have no idea how to compile.

Asked by spandanjit.05 1 month ago

Last reply by cor-el 1 month ago

Firefox ESR/Duo: Not reporting minor version in user agent

We use ESR due to its stability and long term security updates, and we use Duo as our SSO/IDP. We have Duo set to deny login when the browser is more than 6 mo out of da… (read more)

We use ESR due to its stability and long term security updates, and we use Duo as our SSO/IDP.

We have Duo set to deny login when the browser is more than 6 mo out of date, but due to the way FF reports only the main version number via the user agent Duo is unable to determine that FF ESR is actually up to date and thinks that it's too old and my users are being denied login or getting an erroneous message about needing to update their browser.

Is there a way to set FF to report it's whole version to Duo? We would prefer not to have to "outlaw" FF in our prod environment if at all possible.

Asked by Jarrod Coombes 1 month ago

Last reply by Mike Kaply 1 month ago

Firefox 128 ESR-next Releases not reading firefox.cfg

My company has been using the same customized autoconfig.js without issue since last year's FF 115 esr release on our Ubuntu servers. cat /opt/firefox-115.13.0esr/defau… (read more)

My company has been using the same customized autoconfig.js without issue since last year's FF 115 esr release on our Ubuntu servers.

cat /opt/firefox-115.13.0esr/defaults/pref/autoconfig.js pref("browser.tabs.inTitlebar", 0); pref("general.config.filename", "firefox.cfg"); pref("general.config.obscure_value", 0); pref("general.config.sandbox_enabled", false); pref("pdfjs.annotationEditorMode", 1);

Now we are testing the 128 esr next releases with the same config and getting the failed to read the configuration file. please contact your system administrator error

cat /opt/firefox-128.1.0esr/defaults/pref/autoconfig.js pref("browser.tabs.inTitlebar", 0); pref("general.config.filename", "firefox.cfg"); pref("general.config.obscure_value", 0); pref("general.config.sandbox_enabled", false); pref("pdfjs.annotationEditorMode", 1);

If remove pref("general.config.obscure_value", 0); or set it to 1, the error goes away, but our actual firefox.cfg does not get read and are configs are not present at all.

Asked by Ruben Gomez 2 months ago

Last reply by cor-el 1 month ago

Policy to set startpage not working on first start / Linux

Hello, I am using firefox 126.0 on linux mint 21.2 with an policy file in the directory "/usr/lib/firefox/distribution/policies.json". This is just working fine with one… (read more)

Hello,

I am using firefox 126.0 on linux mint 21.2 with an policy file in the directory "/usr/lib/firefox/distribution/policies.json". This is just working fine with one little problem. When opening firefox the first time, it does not apply the policy to set the startpage to the url in the policy file. All other policies seem to be applied correctly. I figured out, that at the first start of firefox, no user profile (folder) "~/.mozilla/" exists. When i click the little "house" button on the the top besides the refresh buton, the correct startpage is shown. After the first start this folder is created and then the policies work fine even the startpage shows up directly. Can I somehow use a template profiles-folder for new users, so they have the correct firefox feeling at the first start or is there something missing in my policy file ? The policy file has rights set to "644 root:root" Image of the policy file is attached because I can't upload files other then images.

Thank you.

Asked by naumaj 4 months ago

Last reply by Mike Kaply 2 months ago

Enforce use of extension

Hello, My company recently started using ActivTrak Monitoring software and I need some help configuring the setup for Apple computers. I'm trying to create a custom .mob… (read more)

Hello,

My company recently started using ActivTrak Monitoring software and I need some help configuring the setup for Apple computers. I'm trying to create a custom .mobileconfig to automatically turn on the browser extension and then stop the end users from turning the add-on off. I can successfully install and lock the extension on once installed but need to manually activate the add-on first. What do I need to add to the plist to enable the extension automatically?

Thank you!

Asked by MiITsolutions 4 months ago

Last reply by Mike Kaply 2 months ago

An Extension was added via GPO, and we would like to enable the two settings / make the extension removable

Hi supporting teams / volunteers, A Microsoft Purview extension was added via GPO previously, and we would like to enable the two settings (indicated with red box), may … (read more)

Hi supporting teams / volunteers,

A Microsoft Purview extension was added via GPO previously, and we would like to enable the two settings (indicated with red box), may I know if anyone might have clues on that please? Also, would like to also check if we could remove the extension from users' end, since it said "can't be removed". Many thanks.

Best regards, Vincent

Asked by vyau1018 2 months ago

Last reply by Mike Kaply 2 months ago

Require device sign in to fill and mange passwords (mozilla.cfg)

Hi all I like to enforce the following setting "Require device sign in to fill and mange passwords" in the mozilla.cfg but I couldn't find the setting in about:config. … (read more)

Hi all

I like to enforce the following setting "Require device sign in to fill and mange passwords" in the mozilla.cfg but I couldn't find the setting in about:config.

Can anyone help?

Regards

Ogami

Asked by Ogami Itto (Gobi85) 2 months ago

Last reply by Mike Kaply 2 months ago

Microsoft SSO not working

Hello, I have enabled the Allow Windows single sign-on for Microsoft, work, and school accounts setting via GPO for Desktops, and it is showing as ticked. Additionally,… (read more)

Hello,

I have enabled the Allow Windows single sign-on for Microsoft, work, and school accounts setting via GPO for Desktops, and it is showing as ticked.

Additionally, within Settings > Email & Accounts, my account is showing underneath Accounts used by other apps

However SSO does not seem to be working whenever I go to the likes of office.com

However, within the likes of Google Chrome (with the Microsoft Single Sign On Extension), SSO works seamlessly.

Does anyone have any ideas?

Thanks so much.

Asked by d.mccrickard 3 months ago

Last reply by Mike Kaply 3 months ago

Deploying Firefox Developer Edition with Intune

I'm having trouble find clear directions online on how to import Firefox Developer Edition into my Intune App Catalog to deploy it to users. I was able to convert the .ex… (read more)

I'm having trouble find clear directions online on how to import Firefox Developer Edition into my Intune App Catalog to deploy it to users. I was able to convert the .exe installer into a .intunewin file but Intune won't import it for some reason. All the other directions i keep finding just direct me to creating a custom configuration policy around FireFox but it looks like it is just the basic Firefox for Enterprise.

I'm hoping to either get directed to actual directions for this or even a .msi installer for the developer edition. Does that exist?

Asked by sstroup970 3 months ago

Last reply by James 3 months ago

Firefox needs updating to many machines - how do i do this easily when no internet connection?

I have a number of servers which need firefox updating They do not have internet. There is one machine that does have internet How do i get them to point to that serve… (read more)

I have a number of servers which need firefox updating They do not have internet.

There is one machine that does have internet

How do i get them to point to that server for updates?

FF should have an easy deployment console for rolling out their product.

I saw something about an MAR server however its not clear.

We just have WSUS so cant use that to update like Edge.

Asked by petesinbox 3 months ago

Last reply by Mike Kaply 3 months ago

Addon/Extension allow list with group policy

Hello! I manage our browser configuration for our enterprise. We use group policy to restrict browser addons until they clear our internal security review. I'm looking … (read more)

Hello!

I manage our browser configuration for our enterprise. We use group policy to restrict browser addons until they clear our internal security review.

I'm looking for a way to allow specific addons using group policy, while generally blocking everything else.

I've found the setting to enforce the installation of addons, but we'd like to avoid forcing every addon to install on every system as there would be overlap between things like password managers and such.

Is there a way to accomplish this?

Asked by ggroathouse 3 months ago

Last reply by Mike Kaply 3 months ago

Azure Virtual Desktop

Hello, We have a client using Azure Virtual Desktops. Most of the users prefer to use Firefox. We are having an issue that anytime we update Firefox and reimage the vi… (read more)

Hello,

We have a client using Azure Virtual Desktops. Most of the users prefer to use Firefox. We are having an issue that anytime we update Firefox and reimage the virtual hosts. When the users login they get a new Firefox profile. We have to remote in and copy their old profile data to the new profile.

Is there a better way for us to handle Firefox and profiling in and Azure Virtual Desktop deployment?

Asked by jbrady6 4 months ago

Last reply by Mike Kaply 4 months ago