?
Solved

Enable NTLM SSO for Firefox with Group Policy

Posted on 2012-03-22
4
Medium Priority
?
4,377 Views
Last Modified: 2012-07-09
My company has a lot of people using Firefox, and we are in the process of deploying several Sharepoint sites.  We want to implement a solution that will prevent them from having to enter their active directory credentials in the browser when accessing these Sharepoint sites.

If I go into Firefox about:config > network.automatic-ntlm-auth.trusted-uris, and add the Sharepoint URLs, then SSO works.  The issue is how to do this efficiently across all computers in the organization.

I found a VBScript (URL below) that will add a specified list or URLs to that setting in the prefs.js file, but I need a way to run that VBScript on all computers.

http://sivel.net/2007/05/firefox-ntlm-sso/

I thought about using GPP, but as far as I can tell, that only works for controlling settings that are contained in the registry.

I have previously been doing this with a login script, but the issue with that approach is that I have a lot of remote users who use a software VPN client, so they do not connect to our network until after they have logged into their PC, so they do not run login scripts.

It seems group policy is the answer, but I can't seem to figure out how to get group policy to run a VBS file.
0
Comment
Question by:FWeston
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 7

Expert Comment

by:PaulNSW
ID: 37752330
Try the following

go to \\domain.local\netlogon

copy your vbs script there
create another file, firefoxSSO.bat

and in it have

@echo off
wscript %0\..\your.vbs

Then set the .bat file as the user logon script or startup script
0
 
LVL 3

Author Comment

by:FWeston
ID: 37752405
Paul,

For the script, are you talking about setting it under:

User > Policies > Windows Settings > Scripts

and

Computer > Policies > Windows Settings > Scripts

?

If so, will those run periodically or only at startup / login?  The concern I have is that the computer will not have access to the domain controller when it boots up or the user logs in since it is remote.

Thanks.
0
 
LVL 7

Accepted Solution

by:
PaulNSW earned 2000 total points
ID: 37752486
It's for every user profile, so you would need to use the User Policy section of GPO

Try using this as a guide: http://community.spiceworks.com/how_to/show/990

its for 2003, but the same concept applies for 2008

The script will only run at user login.  However I would assume, once this preference has been set, it will stick unless a user manually reverts the settings.
0
 
LVL 3

Author Comment

by:FWeston
ID: 37752694
Hi Paul,

That seems like it will work for folks that are on our corporate network at login, but I don't think this will solve the problem for remote users because they won't be able to access the DC at login.

I know the other user policies update at the predefined group policy refresh intervals, so remote users do get the settings from group policy, it seems now I just need to figure out a way to specify a policy that somehow modifies the prefs.js file without relying on a login script.

I wonder if a logoff script would do it...theoretically they should have access to the network at logoff.  I'll test that.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses
Course of the Month14 days, 18 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question