MUST include a WWW-Authenticate header field in your request to the site. Does the header exist in the client's request?

Is the error page appearing in a frame or iframe?

There was a change in Firefox 40 related to basic authentication. Firefox no longer shows the login prompt for a framed page that is hosted on a different server. This is to protect you from accidentally giving your credentials for the outer page to an attacker using an embedded frame.

One workaround is to used the framed page directly (right-click the page > This Frame > Open Frame in New Tab), but if you prefer to disable this new protection, there is an option to do that. Of course, please be suspicious of this prompt appearing on other sites.

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste auth and pause while the list is filtered

(3) Double-click the network.auth.allow-subresource-auth preference and edit the 1 to a 2 and click OK

• 1 shows the login dialog only for framed pages, images, etc., hosted on the same site
• 2 allows the login dialog for framed pages, images, etc., hosted on any site

That should take effect the next time you reload the outer page (your original address).

Was that it?

@jscher2000 It isn't solution for app users. How to say to several hundred people that they have to change firefox config? Most of them don't know for firefox config.

@guigs I will post header content for several minutes

Hi mm2015, does that mean you ARE using cross-site framing where the framed site requires basic authentication? In that case, you can redirect users to the other site (or launch it in a new window) rather than framing it. Problem solved.

HTTP/1.1 401 Unauthorized Content-Type: text/html Server: Microsoft-IIS/7.5 WWW-Authenticate: NTLM WWW-Authenticate: Negotiate X-Powered-By: ASP.NET X-UA-Compatible: IE=Edge Date: Sun, 06 Sep 2015 12:47:23 GMT Content-Length: 1293 Proxy-Support: Session-Based-Authentication

I'm not sure of the circumstances where you got that error message, but I will assume that you tried either of both of my suggestions related to the change I mentioned and they do not work on your page. So it must be a different problem.

Changing value for network.auth.allow-subresource-auth property work, but it isn't good solution for me because, I can't say to all clients to change this. Some more details about app. It's two sites hosted on IIS. App has frames, and second site opens inside frame. Both sites use Windows authentification. Opening second site in new window spoils the user experience, and this also isn't solution

I tested that scenario on a couple IIS servers I have access to and couldn't find a quick JavaScript solution to detect the error in the frame (cross-site frames bar script access to the content document). Instead, I can imagine some more complex things that I don't have time to try to develop and test right now.

But... when you say both sites use Windows Authentication, do you mean that the user is entering the Windows credentials under which they are already logged in? In that case, the best workaround for their convenience and to bypass this issue is to allow Firefox to pass the credentials automatically by adding the server to the trusted hosts list here:

(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

(2) In the search box above the list, type or paste auth and pause while the list is filtered

(3) Double-click the network.automatic-ntlm-auth.trusted-uris preference and add the relevant server host name (if there already is another host name, type a comma first before the new host name). Do not include http:// or https:// before the host name. For example:

intranet,accounting,production

Newer versions of IIS may also require:

(4) Add the host to auto-login-to in the identical manner for:

    (A) The network.negotiate-auth.trusted-uris preference     (B) The network.negotiate-auth.delegation-uris preference

Does that work on yours even if you toggle the network.auth.allow-subresource-auth preference back to its default value?

Yes, but username and password automatically filled by firefox. There is host values for property network.automatic-ntlm-auth.trusted-uris I will repeat once again. Every solution based on user/client activity is not acceptable. it seems to me that this or a similar problem has a lot of people. I suggest to revert changes related to this problem.

I understand your desire not to have this problem, but I don't think it is going to get reverted. Anyway, there is nothing more support volunteers can do. You can follow up with:

Feedback: https://input.mozilla.org/feedback

Bug tracking system, the IIS/NTLM case seems to have been reported here: https://bugzilla.mozilla.org/show_bug.cgi?id=1195091#c12

See: Voting

I just saw that Firefox 41 will revert this change. That is still a few weeks from release, however.

Many thanks for this info. I hope that this will be as soon as possible.