[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Enable NTLM SSO for Firefox with Group Policy

Posted on 2012-03-22
4
Medium Priority
?
4,612 Views
Last Modified: 2012-07-09
My company has a lot of people using Firefox, and we are in the process of deploying several Sharepoint sites.  We want to implement a solution that will prevent them from having to enter their active directory credentials in the browser when accessing these Sharepoint sites.

If I go into Firefox about:config > network.automatic-ntlm-auth.trusted-uris, and add the Sharepoint URLs, then SSO works.  The issue is how to do this efficiently across all computers in the organization.

I found a VBScript (URL below) that will add a specified list or URLs to that setting in the prefs.js file, but I need a way to run that VBScript on all computers.

http://sivel.net/2007/05/firefox-ntlm-sso/

I thought about using GPP, but as far as I can tell, that only works for controlling settings that are contained in the registry.

I have previously been doing this with a login script, but the issue with that approach is that I have a lot of remote users who use a software VPN client, so they do not connect to our network until after they have logged into their PC, so they do not run login scripts.

It seems group policy is the answer, but I can't seem to figure out how to get group policy to run a VBS file.
0
Comment
Question by:FWeston
  • 2
  • 2
4 Comments
 
LVL 7

Expert Comment

by:PaulNSW
ID: 37752330
Try the following

go to \\domain.local\netlogon

copy your vbs script there
create another file, firefoxSSO.bat

and in it have

@echo off
wscript %0\..\your.vbs

Then set the .bat file as the user logon script or startup script
0
 
LVL 3

Author Comment

by:FWeston
ID: 37752405
Paul,

For the script, are you talking about setting it under:

User > Policies > Windows Settings > Scripts

and

Computer > Policies > Windows Settings > Scripts

?

If so, will those run periodically or only at startup / login?  The concern I have is that the computer will not have access to the domain controller when it boots up or the user logs in since it is remote.

Thanks.
0
 
LVL 7

Accepted Solution

by:
PaulNSW earned 2000 total points
ID: 37752486
It's for every user profile, so you would need to use the User Policy section of GPO

Try using this as a guide: http://community.spiceworks.com/how_to/show/990

its for 2003, but the same concept applies for 2008

The script will only run at user login.  However I would assume, once this preference has been set, it will stick unless a user manually reverts the settings.
0
 
LVL 3

Author Comment

by:FWeston
ID: 37752694
Hi Paul,

That seems like it will work for folks that are on our corporate network at login, but I don't think this will solve the problem for remote users because they won't be able to access the DC at login.

I know the other user policies update at the predefined group policy refresh intervals, so remote users do get the settings from group policy, it seems now I just need to figure out a way to specify a policy that somehow modifies the prefs.js file without relying on a login script.

I wonder if a logoff script would do it...theoretically they should have access to the network at logoff.  I'll test that.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question