Solved

Enable NTLM SSO for Firefox with Group Policy

Posted on 2012-03-22
4
4,220 Views
Last Modified: 2012-07-09
My company has a lot of people using Firefox, and we are in the process of deploying several Sharepoint sites.  We want to implement a solution that will prevent them from having to enter their active directory credentials in the browser when accessing these Sharepoint sites.

If I go into Firefox about:config > network.automatic-ntlm-auth.trusted-uris, and add the Sharepoint URLs, then SSO works.  The issue is how to do this efficiently across all computers in the organization.

I found a VBScript (URL below) that will add a specified list or URLs to that setting in the prefs.js file, but I need a way to run that VBScript on all computers.

http://sivel.net/2007/05/firefox-ntlm-sso/

I thought about using GPP, but as far as I can tell, that only works for controlling settings that are contained in the registry.

I have previously been doing this with a login script, but the issue with that approach is that I have a lot of remote users who use a software VPN client, so they do not connect to our network until after they have logged into their PC, so they do not run login scripts.

It seems group policy is the answer, but I can't seem to figure out how to get group policy to run a VBS file.
0
Comment
Question by:FWeston
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 7

Expert Comment

by:PaulNSW
ID: 37752330
Try the following

go to \\domain.local\netlogon

copy your vbs script there
create another file, firefoxSSO.bat

and in it have

@echo off
wscript %0\..\your.vbs

Then set the .bat file as the user logon script or startup script
0
 
LVL 3

Author Comment

by:FWeston
ID: 37752405
Paul,

For the script, are you talking about setting it under:

User > Policies > Windows Settings > Scripts

and

Computer > Policies > Windows Settings > Scripts

?

If so, will those run periodically or only at startup / login?  The concern I have is that the computer will not have access to the domain controller when it boots up or the user logs in since it is remote.

Thanks.
0
 
LVL 7

Accepted Solution

by:
PaulNSW earned 500 total points
ID: 37752486
It's for every user profile, so you would need to use the User Policy section of GPO

Try using this as a guide: http://community.spiceworks.com/how_to/show/990

its for 2003, but the same concept applies for 2008

The script will only run at user login.  However I would assume, once this preference has been set, it will stick unless a user manually reverts the settings.
0
 
LVL 3

Author Comment

by:FWeston
ID: 37752694
Hi Paul,

That seems like it will work for folks that are on our corporate network at login, but I don't think this will solve the problem for remote users because they won't be able to access the DC at login.

I know the other user policies update at the predefined group policy refresh intervals, so remote users do get the settings from group policy, it seems now I just need to figure out a way to specify a policy that somehow modifies the prefs.js file without relying on a login script.

I wonder if a logoff script would do it...theoretically they should have access to the network at logoff.  I'll test that.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question