Download Mozilla Firefox, a free web browser. Firefox is created by a global not-for-profit dedicated to putting individuals in control online. Get Firefox for Windows, macOS, Linux, Android and iOS today! Users can enable Kerberos single sign-on (SSO) authentication using preference in their browser profile but it's also possible to set the default for all Firefox users on the system. During my ApacheCon talkthis year, one of the questions from the audience focused on.
Mozilla Firefox (+) Apple OS X OS X 10.9-10.11. Apple Safari (+) Google Chrome (+) Mozilla Firefox (+) Apple iOS iPhone and iPad with iOS 10. Apple Safari (+) Google Android Phones and tablets with Android 4.4 (KitKat) or later. Google Chrome (+) (+) Latest publicly released version. Browser requirements for the Report Viewer web control (2015). In Firefox, navigate to the kerberos protected web site and ensure that there are no Kerberos authentication errors, and that you can see and interact with the web site. This bug is a request to provide a much more user friendly way of accomplishing the same goal using some kind of. We are attempting to use ADFS with Kerberos. The /adfs/ls/wia URL works out of box with both Internet Explorer and Google Chrome, but we unable to make it work in Firefox Quantum. Instead we are presented with a completely blank screen. We are running ADFS 3.0 on Windows Server 2012 R2 with NTLM traffic disabled.
Using Kerberos implies that your client's browser must be configured properly!
Depending upon which browser your clients use, you have to set up the Kerberos configuration in a different way.Please note that without a proper configured browser, the Kerberos token is not sent to the server and so SSO will not work!
The URL http://webserver.test.ad must be added to Internet options > Security > Local intranet. You can deploy this setting by using a group policy for the node Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List. Each of your SSO-enabled sites has to be in the Intranet zone (value = 1).You can use wildcards like 'https://*.test.ad'.
After you have configured the setting, it should look like this:
Please note, that enforcing a GPO for Site to Zone Assignment List does no longer allow your users to edit the setting on their own! There are two options:
- Collect each custom configuration and assemble the complete list. In most cases you can use a wildcard on your internal domain like https://.test.ad* and http://.test.ad* to include all internal sites.
- Configure a custom assignment list by using a logon script or something like OpsCode Chef or Microsoft's Desired State Configuration.
The first option should be the way to go.
Check the other security settings
Please make sure that there your SSO-enabled domain is only entered in the Local intranet zone and nowhere else! If you have falsely entered the same domain in Trusted sites and Local intranet, the first one is used an no Kerberos token is sent by Internet Explorer to the webserver.
Firefox Kerberos Sso
Newer versions of Chrome do automatically detect the Kerberos negotiation and transmit your token. In case you are using an outdated version of Chrome we highly suggest to update it for security reasons.
If an update is not possible at all, Chrome must be started with the parameter
This setting can be automatically deployed by using group policies.
- Download the official group policies for Chrome
- Follow the installation procedure and open the chrome.admx
- Configure a policy for the option AuthServerWhitelist
- Deploy the policy
In Firefox you have to go to the about:config page and set the parameters
Firefox Kerberos Debug
The deployment of these settings can be done by using GPO for Firefox. This is a plug-in for Firefox which itself has to be automatically deployed and/or bundled with your NETLOGON script.