While it's possible to configure Firefox to function in single-sign-on mode with a proxy that performs Integrated Windows Authentication (IWA), this requires manual configuration of several settings in about:config, which isn't practical if the browser is deployed across a large number of desktops. Can this process be automated in some way, and if so how?
The process of configuring the relevant settings in Firefox can be automated by use of a command-line script, which can be pushed to users at login time using Domain policy. The script would need to contain the following commands:
cd /D "%APPDATA%\Mozilla\Firefox\Profiles\*.default"
echo user_pref("network.automatic-ntlm-auth.trusted-uris", "www.cfauth.com/"); >>prefs.js
echo user_pref("network.negotiate.auth.delegation-uris", "www.cfauth.com/"); >>prefs.js
echo user_pref("network.negotiate-auth.trusted-uris", "www.cfauth.com/"); >>prefs.js
In the above text, you should replace www.cfauth.com with the relevant virtual URL from the IWA realm on your actual proxy, which can be found at Configuration > Authentication > IWA > IWA General.
i. The script can be safely used even if a particular Firefox browser already has the settings configured.
ii. For information on how to apply these settings manually using the about:config page in the Firefox browser interface itself, please see the page below in the SGOS Authentication Web Guide.