Using Firefox Enterprise GPO’s to Enable Windows Integrated Authentication to Specops Websites

Mozilla recently launched Firefox 60, which now includes official support for configuration via Active Directory Group Policies.  For customers using Specops uReset, Specops Authentication, or Specops Password Reset, this means you can now set up your Firefox users to take full advantage of integrated Windows authentication in these solutions.

You will need to install the ESR (Extended Support Release) version of Firefox 60 in order to get full support for GPO settings, as the main release channel of Firefox ignores many of the settings.  You can download the ESR version here:  https://www.mozilla.org/en-US/firefox/organizations/all/

The Group Policy ADMX templates are available to download from Mozilla’s GitHub page (get at least version 1.0): https://github.com/mozilla/policy-templates/releases

Unzip the policy-templates.zip file from GitHub and copy the ADMX and ADML files to the appropriate location:  If you have a central store, then copy the files to \\domain\sysvol\<domain>\policies\policydefinitions, otherwise copy the %windir%\policydefinitions on the machine where you’ll be editing your Firefox GPOs.

You should now have a Mozilla/Firefox folder in your group policy editor under Computer Configuration/Administrative templates:

Now you can add settings that will enable Windows integrated authentication.

Specops Password Reset

Enable /Authentication/NTLM  and add the address used by your users to access your internal SPR server (this corresponds to the network.automatic-ntlm-auth.trusted-uris setting in Firefox).

If you are using a certificate issued by an internal CA, you can also enable the Certificates/Import Enterprise Roots setting (security.enterprise_roots.enabled) so Firefox will automatically use the Trusted Root Certificates from Windows.

Specops uReset

Enable Authentication/NTLM and add https://www.ureset.com to the URL list.

Specops Authentication

Specops Authentication leverages NTLM and Kerberos.  Enable Authentication/NTLM and Authentication/SPNEGO (network.negotiate-auth.trusted-uris) and add the following URLs to both settings:

https://login.specopssoft.com

https://js.specopsauthentication.com

https://trust.specopsauthentication.com

Apply the GPO and run gpupdate.  You should see registry keys created under HKLM/Software/Policies/Mozilla

Next, close and re-open Firefox for the settings to take effect. If you want to double-check the policy has applied within Firefox, open a new tab and go to about:config. The settings should be locked and the values should match what you set in your GPO.

Of course, as a final test, try accessing your Password Reset or uReset enrollment page, or try logging into Office 365 using Specops Authentication.  Firefox should pass your Windows credentials automatically and you should not see any browser popups asking for a username & password.

 

(Last updated on August 2, 2018)

Tags: , ,

darren siegel

Written by

Darren Siegel

Darren Siegel is a cyber security expert at Specops Software. He works as a lead IT engineer, helping organizations solve complex challenges within IT security. Darren has more than 15 years’ experience within Active Directory, IT security, servers, storage, virtualization, cloud, and identity and access management.

Back to Blog

Related Articles

  • “Untrusted Connection” error in Firefox & Intermediate Certificates

    There are many reasons why you may see an SSL error, some of which will vary by browser. Even if the SSL certificate is installed correctly, you are not necessarily in the clear. One of our password reset customers experienced the dreaded “Untrusted connection” error when browsing to the password reset web on their Android…

    Read More
  • Configuring Chrome and Firefox for Windows Integrated Authentication

    Windows Integrated Authentication allows a users’ Active Directory credentials to pass through their browser to a web server. Windows Integrated Authentication is enabled by default for Internet Explorer but not Google Chrome or Mozilla Firefox. Users who use the non-Microsoft browsers will receive a pop-up box to enter their Active Directory credentials before continuing to…

    Read More
  • Alternate Ways to Update Trusted Sites

    Internet Explorer assigns all websites to one of four security zones:  Internet, Local Intranet, Trusted Sites or Restricted Sites. The security settings that will be used for that site are dictated by the security zone the site is in. Reducing your security settings can result in security risk, but increasing the security setting can reduce…

    Read More