Using Firefox Enterprise GPO’s to Enable Windows Integrated Authentication to Specops Websites

Mozilla recently launched Firefox 60, which now includes official support for configuration via Active Directory Group Policies.  For customers using Specops uReset, Specops Authentication, or Specops Password Reset, this means you can now set up your Firefox users to take full advantage of integrated Windows authentication in these solutions.

You will need to install the ESR (Extended Support Release) version of Firefox 60 in order to get full support for GPO settings, as the main release channel of Firefox ignores many of the settings.  You can download the ESR version here: https://www.mozilla.org/en-US/firefox/all/

The Group Policy ADMX templates are available to download from Mozilla’s GitHub page (get at least version 1.0): https://github.com/mozilla/policy-templates/releases

Unzip the policy-templates.zip file from GitHub and copy the ADMX and ADML files to the appropriate location:  If you have a central store, then copy the files to \\domain\sysvol\<domain>\policies\policydefinitions, otherwise copy the %windir%\policydefinitions on the machine where you’ll be editing your Firefox GPOs.

You should now have a Mozilla/Firefox folder in your group policy editor under Computer Configuration/Administrative templates:

Now you can add settings that will enable Windows integrated authentication.

Specops Password Reset

Enable /Authentication/NTLM  and add the address used by your users to access your internal SPR server (this corresponds to the network.automatic-ntlm-auth.trusted-uris setting in Firefox).

If you are using a certificate issued by an internal CA, you can also enable the Certificates/Import Enterprise Roots setting (security.enterprise_roots.enabled) so Firefox will automatically use the Trusted Root Certificates from Windows.

Specops uReset

Enable Authentication/NTLM and add https://www.ureset.com to the URL list.

Specops Authentication

Specops Authentication leverages NTLM and Kerberos.  Enable Authentication/NTLM and Authentication/SPNEGO (network.negotiate-auth.trusted-uris) and add the following URLs to both settings:

https://login.specopssoft.com

https://js.specopsauthentication.com

https://trust.specopsauthentication.com

Apply the GPO and run gpupdate.  You should see registry keys created under HKLM/Software/Policies/Mozilla

Next, close and re-open Firefox for the settings to take effect. If you want to double-check the policy has applied within Firefox, open a new tab and go to about:config. The settings should be locked and the values should match what you set in your GPO.

Of course, as a final test, try accessing your Password Reset or uReset enrollment page, or try logging into Office 365 using Specops Authentication.  Firefox should pass your Windows credentials automatically and you should not see any browser popups asking for a username & password.