Solved

Enable NTLM SSO for Firefox with Group Policy

Posted on 2012-03-22
4
3,931 Views
Last Modified: 2012-07-09
My company has a lot of people using Firefox, and we are in the process of deploying several Sharepoint sites.  We want to implement a solution that will prevent them from having to enter their active directory credentials in the browser when accessing these Sharepoint sites.

If I go into Firefox about:config > network.automatic-ntlm-auth.trusted-uris, and add the Sharepoint URLs, then SSO works.  The issue is how to do this efficiently across all computers in the organization.

I found a VBScript (URL below) that will add a specified list or URLs to that setting in the prefs.js file, but I need a way to run that VBScript on all computers.

http://sivel.net/2007/05/firefox-ntlm-sso/

I thought about using GPP, but as far as I can tell, that only works for controlling settings that are contained in the registry.

I have previously been doing this with a login script, but the issue with that approach is that I have a lot of remote users who use a software VPN client, so they do not connect to our network until after they have logged into their PC, so they do not run login scripts.

It seems group policy is the answer, but I can't seem to figure out how to get group policy to run a VBS file.
0
Comment
Question by:FWeston
  • 2
  • 2
4 Comments
 
LVL 7

Expert Comment

by:PaulNSW
ID: 37752330
Try the following

go to \\domain.local\netlogon

copy your vbs script there
create another file, firefoxSSO.bat

and in it have

@echo off
wscript %0\..\your.vbs

Then set the .bat file as the user logon script or startup script
0
 
LVL 3

Author Comment

by:FWeston
ID: 37752405
Paul,

For the script, are you talking about setting it under:

User > Policies > Windows Settings > Scripts

and

Computer > Policies > Windows Settings > Scripts

?

If so, will those run periodically or only at startup / login?  The concern I have is that the computer will not have access to the domain controller when it boots up or the user logs in since it is remote.

Thanks.
0
 
LVL 7

Accepted Solution

by:
PaulNSW earned 500 total points
ID: 37752486
It's for every user profile, so you would need to use the User Policy section of GPO

Try using this as a guide: http://community.spiceworks.com/how_to/show/990

its for 2003, but the same concept applies for 2008

The script will only run at user login.  However I would assume, once this preference has been set, it will stick unless a user manually reverts the settings.
0
 
LVL 3

Author Comment

by:FWeston
ID: 37752694
Hi Paul,

That seems like it will work for folks that are on our corporate network at login, but I don't think this will solve the problem for remote users because they won't be able to access the DC at login.

I know the other user policies update at the predefined group policy refresh intervals, so remote users do get the settings from group policy, it seems now I just need to figure out a way to specify a policy that somehow modifies the prefs.js file without relying on a login script.

I wonder if a logoff script would do it...theoretically they should have access to the network at logoff.  I'll test that.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now