Firefox Enterprise Community Forum

I am trying to reach an internal company website ([URL]), with a certificate chain rooted in a company certificate authority. This works fine in Chrome, and worked in Firefox on my previous computer. But i recently got a new machine, and something somewhere is not quite right. I get an error message looking like this (between the ~~~s):

~~~ Someone could be trying to impersonate the site and you should not continue.

Web sites prove their identity via certificates. Firefox does not trust [URL] because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

Error code: SEC_ERROR_UNKNOWN_ISSUER

View Certificate ~~~

If i click on the error code, i get these details:

~~~ [URL]

Peer's Certificate issuer is not recognised.

HTTP Strict Transport Security: false HTTP Public Key Pinning: false

Certificate chain:

[certificate]

[certificate]

[certificate]

~~~

If i click 'View Certificate', i get a chain of three certificates:

1. Subject common name = [certificate]
2. Subject common name = [certificate]
3. Subject common name = [certificate]

If i go to Settings > Privacy & Security > View Certificates > Authorities, i can find both the [certificate] certificates. As far as i can tell, they are identical - i can open the certificate from 'View Certificate' and the corresponding one from the certificate manager and flip between tabs, and all the details are the same.

I am using Firefox 120.0, via a flatpak, on Ubuntu 22. I have given the flatpak access to /etc/ssl/certs, where my company's internal CA certificates are located.

To me, this seems like it should all work. The server has a certificate signed by an internal CA, which is signed by another internal CA, and both those internal CA certificates are in my certificate manager. So what is going wrong? Is there any way i can debug this?

Firefox (129.0.2) displays "401 - Unauthorized: Access is denied due to invalid credentials" (see attached image)

I have tried various combinations of setting and not setting the following in Firefox:

• network.negotiate-auth.trusted-uris
• network.negotiate-auth.delegation-uris
• network.auth.use-sspi

For the URI settings I have tried both .domainname.domainextension and https://servicename.domainname.domainextension

In Windows 10 Control Panel -> Internet Options, the site is in "Trusted sites" using a domain wildcard, and also "Local intranet" and both "Automatic logon" and "Enable Integrated Windows Authentication" are enabled. I suspect those setting aren't relevant since other browsers are authenticating without error or prompt, but calling this out to show that I've covered that base.

The web service is served by IIS 10.0 on Windows Server 2022 and the authentication provider list only includes Negotiate, but I don't believe this issue has anything to do with IIS or its configuration as, again, other browsers are authenticating without error or prompt.

Anything else to check?

Thank you for any guidance you can offer.

I am working on deploying Firefox with a GPO and I noticed that a saved password can be easily viewed just by going into the password manager. I found a way to disable the password manager all together, but then you can't save passwords. I am look for a way just to Require device sign in to fill and manage passwords as it says so its not just clicking the eyeball to see the password. I saw this article ( https://support.mozilla.org/en-US/kb/firefox-password-authentification-prompt ) which is how I got the description for this and that seems to be exactly what I want, But I cannot find this setting anywhere in the GPO. Anyone know where it is OR perhaps maybe you could add it?

Hi All,

I'm using Firefox on 24 PC's in a primary school computer Lab, I have had reports of students installing extensions and plugins that i wish to stop, also i've had issues with students not signing out of their email and other students gaining access.

Im looking for solutions for the following and was hoping someone could point me in the right direction -

1. Disabling the installations of extensions and plugins. 2. Clearing browsing history/logging out of any accounts. 3. Locking settings so students can't change settings.

Any help would be greatly appreciated. Adam

We use ESR due to its stability and long term security updates, and we use Duo as our SSO/IDP.

We have Duo set to deny login when the browser is more than 6 mo out of date, but due to the way FF reports only the main version number via the user agent Duo is unable to determine that FF ESR is actually up to date and thinks that it's too old and my users are being denied login or getting an erroneous message about needing to update their browser.

Is there a way to set FF to report it's whole version to Duo? We would prefer not to have to "outlaw" FF in our prod environment if at all possible.

I am trying to manage Firefox for company devices via Intune and would like to know if there is a way to uninstall all extensions/add-ons besides one or two approved ones.

I have been able to import the Firefox AMDX into Intune and have made a policy to install uBlock (which works without issue) and I can uninstall specific extensions/add-ins via their Extension ID (also without issue), however I can't see a way to uninstall all extensions. If I try and put a wildcard in the Extension ID field, nothing is affected.

We have a large number of devices with their own user-installed extensions so auditing this and then updating a policy manually with specific extension IDs may be quite painful.

We followed the links below to block internet access in Firefox browser:

https://www.youtube.com/watch?v=fAGYYX5hYb8 https://github.com/mozilla/policy-templates/releases

We downloaded the ADMX and ADML files. Using these files, we were able to locate Mozilla Firefox in Group Policy Management and successfully block all websites in the Firefox browser using the pattern :///*.

However, we encountered an issue with exceptions. We do not wish to block certain websites, including localhost. We attempted to use the "Exceptions to block websites" option, providing values such as ://msn.com/ to exclude specific sites. Unfortunately, this approach did not work as intended. For instance, msn.com is one of the websites we want to allow, among others and also localhost.

We require assistance with the following issue: "Exceptions to block websites" is not functioning properly within the group policy of Mozilla Firefox.

Hello,

I am using firefox 126.0 on linux mint 21.2 with an policy file in the directory "/usr/lib/firefox/distribution/policies.json". This is just working fine with one little problem. When opening firefox the first time, it does not apply the policy to set the startpage to the url in the policy file. All other policies seem to be applied correctly. I figured out, that at the first start of firefox, no user profile (folder) "~/.mozilla/" exists. When i click the little "house" button on the the top besides the refresh buton, the correct startpage is shown. After the first start this folder is created and then the policies work fine even the startpage shows up directly. Can I somehow use a template profiles-folder for new users, so they have the correct firefox feeling at the first start or is there something missing in my policy file ? The policy file has rights set to "644 root:root" Image of the policy file is attached because I can't upload files other then images.

Thank you.

Hello,

My company recently started using ActivTrak Monitoring software and I need some help configuring the setup for Apple computers. I'm trying to create a custom .mobileconfig to automatically turn on the browser extension and then stop the end users from turning the add-on off. I can successfully install and lock the extension on once installed but need to manually activate the add-on first. What do I need to add to the plist to enable the extension automatically?

Thank you!

Hi supporting teams / volunteers,

A Microsoft Purview extension was added via GPO previously, and we would like to enable the two settings (indicated with red box), may I know if anyone might have clues on that please? Also, would like to also check if we could remove the extension from users' end, since it said "can't be removed". Many thanks.

Best regards, Vincent

Hello,

I have enabled the Allow Windows single sign-on for Microsoft, work, and school accounts setting via GPO for Desktops, and it is showing as ticked.

Additionally, within Settings > Email & Accounts, my account is showing underneath Accounts used by other apps

However SSO does not seem to be working whenever I go to the likes of office.com

However, within the likes of Google Chrome (with the Microsoft Single Sign On Extension), SSO works seamlessly.

Does anyone have any ideas?

Thanks so much.

Hello!

I manage our browser configuration for our enterprise. We use group policy to restrict browser addons until they clear our internal security review.

I'm looking for a way to allow specific addons using group policy, while generally blocking everything else.

I've found the setting to enforce the installation of addons, but we'd like to avoid forcing every addon to install on every system as there would be overlap between things like password managers and such.

Is there a way to accomplish this?

Hello,

We have a client using Azure Virtual Desktops. Most of the users prefer to use Firefox. We are having an issue that anytime we update Firefox and reimage the virtual hosts. When the users login they get a new Firefox profile. We have to remote in and copy their old profile data to the new profile.

Is there a better way for us to handle Firefox and profiling in and Azure Virtual Desktop deployment?

Unattended software (kiosk) here.

Sometimes (so rarely that I cannot reproduce in dev) the client sees this error screen: "Firefox closed unexpectedly while starting..." (see image in attachment)

Sometimes when rebooting the error goes away and Firefox starts normally.

Sometimes even when rebooting the system - this vertical error screen appears, and one solution is to reinstall Firefox, but I'd like not to (if not necessary) or at least programmatically detect the issue and perform the needed actions.

QUESTIONS: How to programmatically detect (bash i.e.) that this error window is present and get rid of it properly? Or, how to (for debugging) force that screen to appear (to force that broken state)?

PS: I'm running Firefox using:

nohup firefox -P ff_custom_profile -new-instance -private-window -kiosk "$url" > /dev/null 2>&1 &

Thank you for any assistance or insight

Hi,

I already have the admx and adml templates installed on my gpo. I would like to control or prevent the install of vpn extensions on the firefox browser.

Specifically I would like to prevent the install of all vpn extensions to the firefox browser for the users in my company. I would like them to download and install other extensions. How could I do this through modifying the json file in the extensions folder of the firefox template in my gpo.

Thanks in advance, Floyd,

Hello,

We would like to deploy a configuration profile to our macbooks running Sonoma 14.5 and above. This is being done via Jamf MDM. However when we use our current plist to configure settings, They are not being applied correctly, The issue seems to be with the firefox plist itself and not our Jamf deployment. Would you be be able to advise or could we ask for a plist template that could achieve this?

Thanks.

Does anyone possess expertise in executing a forced update for Firefox within the user's profile directory located at "AppData\Local\Mozilla Firefox"? It would be advantageous to employ a PowerShell script for rectifying this issue. It appears that certain users are not frequently opening Firefox, thus impeding the automatic update process.

Hi, I would like to implement GPO settings for Firefox, and would like to review the list of the policies with description (explanation of what the policy is about and what happens if its enabled or disabled) on a table or excel format. Is there a site or page that will give me that list?

Hi everyone. I have installed Firefox on all windows 10 workstations and I have also installed latest Firefox Group Policy ADMX on Server. I need to set some preferences on all Workstations. The preferences that I want to set are the ones that can be found in about:config.

But the problem is that only some of these preferences exist in Group Policy by default and it says "deprecated". I know that I can add additional about:config preferences in a Group Policy object called "Preferences". But no matter how I enter the format or how I change the JASON file, no preference policy is applied to Firefox in workstations. By the way when I change "Preferences" gpo in group Policy the next Policy called "Preferences (JASON on one file)" does also change. I have thoroughly searched the web and Mozilla support and have tested all suggestions but all to no avail. Can you please help me and Give me an example of how to do that? I would appreciate any answer in advance.