Authentication popup in Mozilla Firefox while using transparent authentication

book

Article ID: 168184

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Users report that they receive authentication popup when using Firefox, but when using Internet Explorer, no authentication popup is displayed and users can access the internet normally.

The proxy is deployed in transparent mode with a redirect-based authentication mode.

Resolution

This happens because of how transparent proxy authentication takes place. The ProxySG is configured with a Virtual URL that resolves to one of its IP addresses. When a request reaches the proxy transparently, the proxy must redirect that request to itself to issue the authentication challenge. If configured per the documentation, the Virtual URL (located in the Management Console under Authentication > IWA > IWA General) is a single hostname, (such as http://ProxySG).  By default, Internet Explorer will consider this URL as an internal intranet website and will try to automatically authenticate using NTLM credentials.

Firefox, however, does not have any such default configuration, so it will consider the ProxySG's Virtual URL as an external link. Because of this, it will not automatically provide the network logon name credentials automatically, so the popup appears to the user.

In order to resolve this issue, the Virtual URL can be added to the list of URLs permitted to respond to NTLM challenges. Steps on this are below:

  1. Open Firefox.
  2. Type in the URL field “about:config” (without quotes).
  3. Search for the following term: ntlm.
  4. Locate the parameters "network.automatic-ntlm-auth.trusted-uris", "network.negotiate.auth.delegation-uris", "network.negotiate-auth.trusted-uris" and enter the authentication Virtual URL in this field. 
  5. Search for the word "proxy" (without quotes)
  6. Define "signon.autologin.proxy" as "true"
  7. Close and open Firefox again, and this time, it should handle the authentication challenge from the proxy without prompting the user.