Forum zgromaźeństwa Firefox za Enterprise

With Firefox 115.14.0esr, 115.2esr and 128.xesr we can`t log in into a company website with a certificate. After the certificate login we end up on the WebSeal again. Http status 302 for pkmslogin.form and pkmscertpromptstagen is called ~12x repeatedly with 302 error each time and then jump back to the login screen.

Hi,

Looking to upgrade our org to ESR 128.2.0 due to compatibility issues - most notably, embedded PDFs not loading due to Promise.withResolvers() not being implemented on versions prior to 121.

Curious to know if there are any issues or concerns with upgrading manually/pushing this version out - would like to ensure we don't cause further issues in attempting to resolve one.

Firefox version

   128.2.0esr (64-bit)

Operating system

   Windows 10/Windows11 23H2 Septembre patch

Hello everyone,

maybe you can tell me/explain what the problem could be.

In our company we had Firefox version 115.14.0esr (64-bit) and then we updated to 128.2.0esr (64-bit).

Since version 128.2 ESR we have experienced problems in Firefox when trying to access DNN+ pages (with login). https://www.dnn.de/sport/regional/dresdner-sc-denkt-ueber-uebernahme-der-margon-arena-nach-C3IC74MZ6FE43AKGCZJSKUXA3I.html

In Firefox the content is cut off, in Edge it is displayed normally.

With Edge and Firefox 115.14.0esr the page is displayed normally. No AdBlock installed.

In developer mode I see the errors in the versions, so it shouldn't be that.

Cross-source (cross-origin) request blocked: The same-source rule prohibits reading the external resource on https://gum.criteo.com/sid/json?origi...AAAAAAAA&gdpr=1. (Reason: CORS request failed). Status code: (null).

Cross-source (cross-origin) request blocked: The same-source rule prohibits reading the external resource on https://id5-sync.com/api/config/prebid. (Reason: CORS request failed). Status code: (null).

Any ideas? Thank you very much! :)

Hello,

I installed Firefox 128.2.0esr. I set the next parameters in GPO for settings DNSOverHTTPS: "DNSOverHTTPS": {

                      "Enabled":  true,

"ProviderURL": "https://safe.dot.dns.yandex.net/dns-query", "Locked": true, "Fallback": true }. But when checking via https://www.cloudflare.com/ru-ru/ssl/encrypted-sni/#results I get (screenshot in attachment). As you can see from the screenshot, DNS and SNI did not receive the coveted check marks. Secure DNS We weren’t able to detect whether you were using a DNS resolver over secure transport. Contact your DNS provider or try using 1.1.1.1 for fast & secure DNS. DNSSEC Attackers cannot trick you into visiting a fake website by manipulating DNS responses for domains that are outside their control. TLS 1.3 Nobody snooping on the wire can see the certificate of the website you made a TLS connection to. Secure SNI Anybody listening on the wire can see the exact website you made a TLS connection to.

In my browser / about:config: network.trr.mode = 2 network.trr.uri = https://safe.dot.dns.yandex.net/dns-query

In 128.2.0esr there is no protection against ESNI interceptions and ECH is enabled by default? Or is the problem that the DNS provider does not support the technology from Mozilla? Or what other settings we need use (via GPO)?

Thank you.

I am working on upgrading our organization from ESR version 115 to 128. While testing, I am experiencing an issue where a new profile is being created and defaulted to on first run after the upgrade. This removes all the bookmarks, themes, extensions, etc. For a technical person like myself, I can easily revert this by going to about:profiles and setting my previous profile back as the default and then restarting Firefox. The issue lies in that this process is not something we can feasibly do for over 1000 people if/when they see this problem. I have been trying to wrap the install with a few commands to back up the previous profiles.ini and put it back after upgrade but this isn't working out too well.

Is there a way to automate keeping whatever profile was being used as the default intact without generating a new one and having it take over?

One thing to note is that we are following CIS guidelines as closely as possible, thus using synced profiles is not an option.

We've been noticing for some time now that we haven't been able to load the Microsoft Bookings Page using the Microsoft Store version of the Firefox web browser.

Here's what we have tried and what we know: -We cleared cache and cookies using the "Everything" drop down option to no avail. -Confirmed that we are running the latest version and no extensions are running. -Tested running it in "New Private Window" to no avail. -Tested Diagnostic Mode to no avail. -Tested Refresh Firefox to no avail. -We confirmed that we are able to login and load the Microsoft booking page using different browsers (Edge, Chrome and even Firefox directly from their own page) with no issues. - We confirmed that different users can replicate the issue and can be replicated on a different computer as well. -We confirmed that we are able to access other Office 365 web apps with out an issue on the Microsoft Store version of the Firefox web browser.

Microsoft Support stated that they are able to replicate the issue on their end, but advised to reach out to Firefox support to investigate this further.

Feel free to let me know if any other information would be helpful such as .HAR log file(s) etc.

Thanks!

Hello,

we are trying to update our Firefox ESR to 128.2.0 version.

The install seems to get stuck when executing "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" -register-task 308046B0.

We've tried updating to 115.15.0 first, that seems to install fine. After updating to 115.15.0 we tried to update to 128.2.0 again and it still hangs on the same part.

Also note that this happens on both EXE and MSI package. We also use the Finnish language version.

I need some help to get Intune Firefox Extension Management to work.

I have imported the Firefox ADMX into Intune but cant seem to get the JSON correct for this to work correctly.

The scenario I would like to give is I would like to block all extensions but allow Power Automate Extension and Cisco Web Ex Extension.

Any help would be appreciated!

Hi,

At my work, we use Windows AppLocker to allow only trusted code to be executed. Firefox works great in this environment, but I do have a request.

We were regularly getting notices of untrusted code being attempted from the "%windir%\temp\NS?????.tmp\" folder, which was a mystery to us for a long time. We finally tracked the cause back to "C:\Program Files\Mozilla Firefox\uninstall\helper.exe", which extracts DLLs (e.g. system.dll, shelllink.dll, userinfo.dll and accesscontrol.dll). It's my pleasure to report that the extracted DLLs ARE signed (btw, thank you so much for that!!). However, I had an embarrassingly hard time getting to this point since the code is code only exists temporarily, and I sadly never had the thought that NS might mean Netscape.

Incase there are others in my situation, I was wondering you'd like to prepend the .tmp folder name to include moz- or Mozilla?

I think there may be others in my situation, since our instance that followed the best practice of exempting all DLLs in Program Files from the exclusion policy, and since Firefox keeps all DLLs in Program Files, these were the only Firefox DLLs being checked.

Thank you for 30 years of a great product!

Rob

Firefox (129.0.2) displays "401 - Unauthorized: Access is denied due to invalid credentials" (see attached image)

I have tried various combinations of setting and not setting the following in Firefox:

• network.negotiate-auth.trusted-uris
• network.negotiate-auth.delegation-uris
• network.auth.use-sspi

For the URI settings I have tried both .domainname.domainextension and https://servicename.domainname.domainextension

In Windows 10 Control Panel -> Internet Options, the site is in "Trusted sites" using a domain wildcard, and also "Local intranet" and both "Automatic logon" and "Enable Integrated Windows Authentication" are enabled. I suspect those setting aren't relevant since other browsers are authenticating without error or prompt, but calling this out to show that I've covered that base.

The web service is served by IIS 10.0 on Windows Server 2022 and the authentication provider list only includes Negotiate, but I don't believe this issue has anything to do with IIS or its configuration as, again, other browsers are authenticating without error or prompt.

Anything else to check?

Thank you for any guidance you can offer.

Hello,

I am reaching out to gain information on ADMX GPO policies. We are retiring Policy Pak which used to add all the policies and secure Firefox for Enterprise. What we noticed is that Policy Pak used the app set to apply these policies and we are noticing that native GPO's for the most part to match the Policy Pak policies is not as accurate for GPO's My ask here is there any Most Viable Product suggestions to apply Native GPO's for securing Firefox.

I am working on deploying Firefox with a GPO and I noticed that a saved password can be easily viewed just by going into the password manager. I found a way to disable the password manager all together, but then you can't save passwords. I am look for a way just to Require device sign in to fill and manage passwords as it says so its not just clicking the eyeball to see the password. I saw this article ( https://support.mozilla.org/en-US/kb/firefox-password-authentification-prompt ) which is how I got the description for this and that seems to be exactly what I want, But I cannot find this setting anywhere in the GPO. Anyone know where it is OR perhaps maybe you could add it?

Hi All,

I'm using Firefox on 24 PC's in a primary school computer Lab, I have had reports of students installing extensions and plugins that i wish to stop, also i've had issues with students not signing out of their email and other students gaining access.

Im looking for solutions for the following and was hoping someone could point me in the right direction -

1. Disabling the installations of extensions and plugins. 2. Clearing browsing history/logging out of any accounts. 3. Locking settings so students can't change settings.

Any help would be greatly appreciated. Adam

I'm a newbie using Debian and Deb 12 ships with Firefox ESR and I've decided to stick with it instead of the regular release, 'cause it breaks some extensions I have. However, I want to upgrade to the latest ESR version, how do I do it? I tried going to (https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr), but the file for linux 64 bit is a .tar.bz2 file, which I have no idea how to compile.

We use ESR due to its stability and long term security updates, and we use Duo as our SSO/IDP.

We have Duo set to deny login when the browser is more than 6 mo out of date, but due to the way FF reports only the main version number via the user agent Duo is unable to determine that FF ESR is actually up to date and thinks that it's too old and my users are being denied login or getting an erroneous message about needing to update their browser.

Is there a way to set FF to report it's whole version to Duo? We would prefer not to have to "outlaw" FF in our prod environment if at all possible.

I am trying to manage Firefox for company devices via Intune and would like to know if there is a way to uninstall all extensions/add-ons besides one or two approved ones.

I have been able to import the Firefox AMDX into Intune and have made a policy to install uBlock (which works without issue) and I can uninstall specific extensions/add-ins via their Extension ID (also without issue), however I can't see a way to uninstall all extensions. If I try and put a wildcard in the Extension ID field, nothing is affected.

We have a large number of devices with their own user-installed extensions so auditing this and then updating a policy manually with specific extension IDs may be quite painful.