תשובות אחרונות על NTLM Authentication issuehttps://support.mozilla.org/he/questions/12692092019-09-26T22:28:11-07:00Any other help the community could provide on this one?
2019-09-26T22:28:11-07:00haley.loweryhttps://support.mozilla.org/he/questions/1269209#answer-1255247<p>Any other help the community could provide on this one?
</p>The URLs that I need are listed in my about:config file and I posted them as contents of my config f2019-09-20T03:34:31-07:00haley.loweryhttps://support.mozilla.org/he/questions/1269209#answer-1253645<p>The URLs that I need are listed in my about:config file and I posted them as contents of my config file in my initial question.
</p>Configuring Firefox to allow silent authentication
By default, Firefox supports prompted NTLM authen2019-09-20T03:19:58-07:00j.sodagharhttps://support.mozilla.org/he/questions/1269209#answer-1253639<p>Configuring Firefox to allow silent authentication
By default, Firefox supports prompted NTLM authentication. To enable silent NTLM authentication, you first need to configure the browser to trust sites.
To enable silent NTLM authentication in Firefox:
1 Open Firefox.
2 Type about:config as the target URL.
3 Type ntlm in the Filter field.
4 Open network.automatic-ntlm-auth.trusted-uris.
5 Type a comma-separated list of partner URLs or domain names as string values, then click OK. For example, type
<a href="http://server1.mydomain.com" rel="nofollow">http://server1.mydomain.com</a>,<a href="https://server1.mydomain.com" rel="nofollow">https://server1.mydomain.com</a>
then click OK.
Note For security reasons, make this list as restrictive as possible.
Although the Mozilla Firefox Web browser supports negotiated (SPNEGO) authentication, this support is not enabled by default. To enable silent SPNEGO authentication for the Firefox browser, you first need to configure the browser to trust sites.
To enable silent SPNEGO authentication in Firefox:
1 Open Firefox.
2 Type about:config as the target URL.
3 Type neg in the Filter field.
4 Open network.negotiate-auth.delegation-uris, type a comma-separated list of partner URLs or domain names, for example,
<a href="http://server1.mydomain.com" rel="nofollow">http://server1.mydomain.com</a>,<a href="https://server1.mydomain.com" rel="nofollow">https://server1.mydomain.com</a>
and click OK.
Note For security reasons, make this list as restrictive as possible. If your Web server uses SSL, be sure to include https:// in the string.
5 Open network.negotiate-auth.trusted-uris, type a comma-separated list of partner URLs or domain names, for example,
<a href="http://server1.mydomain.com" rel="nofollow">http://server1.mydomain.com</a>,<a href="https://server1.mydomain.com" rel="nofollow">https://server1.mydomain.com</a>
and click OK.
</p>We have the windows account setup to authenticate to our intranet page in Chrome. I shouldn't need t2019-09-20T00:48:03-07:00haley.loweryhttps://support.mozilla.org/he/questions/1269209#answer-1253601<p>We have the windows account setup to authenticate to our intranet page in Chrome. I shouldn't need to adjust the server different for Firefox, should I?
</p>The NTLM SSP is used in the following situations:
The client is authenticating to a server that does2019-09-20T00:20:50-07:00j.sodagharhttps://support.mozilla.org/he/questions/1269209#answer-1253593<p>The NTLM SSP is used in the following situations:
</p><p>The client is authenticating to a server that doesn't belong to a domain or no Active Directory domain exists (commonly referred to as "workgroup" or "peer-to-peer")
The server must have the 'Password protected sharing' feature enabled, which is not enabled by default and which is mutually exclusive with HomeGroup on some versions of Windows.
When server and client both belong to the same HomeGroup, a protocol similar to Kerberos, Public Key Cryptography based User to User Authentication will be used instead of NTLM. HomeGroup is probably the easiest way to share resources on a small network, requiring minimal setup, even compared to configuring a few additional users to be able to use Password protected sharing, which may mean it is used much more than Password protected sharing on small networks and home networks.
If the server is a device that supports SMB, such as NAS devices and network printers, the NTLM SSP may offer the only supported authentication method. Some implementations of SMB or older distributions of e.g. Samba may cause Windows to negotiate NTLMv1 or even LM for outbound authentication with the SMB server, allowing the device to work although it may be loaded with outdated, insecure software regardless of whether it were a new device.
If the server is a member of a domain but Kerberos cannot be used.
The client is authenticating to a server using an IP address (and no reverse name resolution is available)
The client is authenticating to a server that belongs to a different Active Directory forest that has a legacy NTLM trust instead of a transitive inter-forest trust
Where a firewall would otherwise restrict the ports required by Kerberos (typically TCP 88)
</p>