We are trying to get an application server that is running apache2 on centos 5.1 to use NTLM to provide SSO to a number of applications.
We can get SSO to work with IE, however SSO fails with firefox. We have updated the NTLM trust entry in about:config in firefox. However this still fails.
Our current apache config looks like this:
Alias /someapp "/opt/someapp/public"
<Directory "/opt/someapp/public/">
PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm,basic
AuthName Basic
require valid-user
PerlAddVar ntdomain "MYDOMAIN primayad backupad"
PerlSetVar defaultdomain MYDOMAIN
PerlSetVar fallbackdomain MYDOMAIN
PerlSetVar splitdomainprefix 1
AllowOverride All
Order allow,deny
Allow from all
PerlSetVar ntlmdebug 3
#PerlSetVar ntlmauthoritative off
PerlsetVar basicauth off
</Directory>
Any ideas why this would work for IE, but firefox gets a dialog box prompting for user authentication??
Thanks,
Grant
Best Answer
That is because by default IE does global NTLM authentication, Firefox went the other way and only attempts NTLM authentication when it is explicitly configured to do so and otherwise ignores SPNEGO challenges.
You need to open
about:config
in Firefox and filter to find network.automatic-ntlm-auth.trusted-uris which by default will have no values. You need to put in hostnames that match the hosts you want to perform NTLM authentication. I've read other sites that suggest putting fully qualified URLs but I've been fine using .domain.example.com for our internal Active Directory domain controlled hosts.One caveat is that this will work for Firefox on a Windows machine but I have not had it succeed on a Linux machine even with it being joined to the AD domain as a member.