ARCHIVED: In Firefox, why am I unable to log into some IU websites that I can reach with Internet Explorer?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

You may be able to access some Indiana University websites (restricted sites that ask for your ADS credentials) with Internet Explorer, but not with Firefox. If your computer is joined to ADS, Internet Explorer doesn't ask for your username or password, but Firefox prompts you repeatedly. If your computer is not joined to ADS, Internet Explorer accepts your username and password, but Firefox repeatedly prompts you for those credentials.

To access restricted IU websites that ask for your ADS credentials, you must configure your browser to allow the automatic authentication mechanism to proceed. Do this by adding the sites' URLs to specific lines in a configuration file:

  1. Launch Firefox. In the Address Bar, instead of typing a URL, enter: 
      about:config

    This will open the configuration interface. You may need to agree to a security warning in order to proceed.

  2. Double-click the line labeled network.automatic-ntlm-auth.trusted-uris.
  3. An "Enter string value" dialog box will open. In this box, enter the URLs for the sites to which you want the browser to automatically authenticate. Separate individual URLs with commas, but do not put spaces between them, for example: 
      darthvader.iu.edu,r2d2.iupui.edu,deathstar.ucs.indiana.edu

    Click OK when you're finished.

  4. Double-click the line labeled network.negotiate-auth.trusted-uris. Enter the same information you entered in the previous step, with the URLs separated by commas and with no spaces. Click OK.
  5. Close the browser and then relaunch it. You should be able to access the websites you entered in steps 3 and 4.

If your computer is not joined to ADS, your browser will still prompt you once for a username and password. The fix described above allows authentication to proceed, but it won't force automatic authentication in situations where it's not designed to work, such as when a computer is not joined to ADS.

Technical information

This problem results from the way these browsers handle certain types of authentication requests. By default, they reject certain automatic authentication methods from web servers, such as the single sign-on type of authentication that comes through Windows Active Directory membership. This behavior prevents your browser from automatically falling for a spoofing or man-in-the-middle attack. Since many computers, especially those outside the IU network, are configured not to use any authentication protocol higher than NTLMv1, and since the NTLMv1 protocol was considered weak security when these browsers were being developed, the development teams chose not to allow the automatic methods, so that users must reconfigure their browsers to gain that functionality.

Even when these browsers reject the automatic authentication requests, they will often still prompt you for a username or password. After those credentials are entered, however, the authentication method is often rejected. At IU, the problem arises because some websites use an automatic authentication mechanism called Integrated Windows Authentication (also called Integrated Auth). This mechanism takes the ADS credentials you enter when you log into the computer, and then uses them to authenticate to the website. The website functions like other ADS-authenticated resources, such as mapped drives and networked printers, in that logging into your computer provides access without the need to re-enter your username and password.

Internet Explorer allows Integrated Auth without impediment; by default, Firefox does not.

Exceptions

Some websites will not work with Firefox even if you change your configuration as suggested above. In those cases, you have only three options:

  • You can use Internet Explorer for the problematic websites. Internet Explorer does not prevent automatic authentication mechanisms from working.
    Note:
    UITS strongly recommends that you use a supported browser, and not Internet Explorer (IE). Microsoft 365 apps and services no longer support Internet Explorer.
  • You can install the Internet Explorer tab for Firefox in Windows to automatically allow for Integrated Auth.
  • The server administrator can reconfigure the site to use Basic Authentication instead of Integrated Authentication, forgoing automatic authentication mechanisms and making the website simply ask for a username and password. Only the site administrator can perform this.

More information for developers, support staff, and IT Pros

For more about Mozilla's support for Integrated Authentication, visit the Mozilla Developer Center.

This is document atxe in the Knowledge Base.
Last modified on 2018-01-18 15:47:01.