Set up Firefox and Internet Explorer

Configure Firefox for SSO

To set up Firefox for single sign-on, you must turn on the Simple and Protected GSS-API Negotiation Mechanism, or SPNEGO, to negotiate authentication with Kerberos.

  1. Launch Firefox.
  2. In the Go box, type about:config, and then click Go.


  1. In the Filter box, type uris.


Enter string value

  1. Double-click network.negotiate-auth.trusted-uris, enter a comma-separated list of URL prefixes or domains that are permitted to engage in SPNEGO authentication with the browser, and then click OK.


  1. Double-click network.negotiate-auth.delegation-uris, enter a comma-separated list of the sites for which the browser may delegate user authorization to the server, and then click OK.

For more information on how to configure Firefox for SSO, please see Enable NTLM Single Sign On in Firefox.

Configure Internet Explorer

Here's how to configure Internet Explorer 7.0 to use SPNEGO and Kerberos. The settings for other versions of IE might vary; see your browser's documentation for more information.

  1. Start Internet Explorer 7.0.
  2. On the Tools menu, click Internet Options.

Internet Options

  1. Click the Advanced tab and make sure that the Enable Integrated Windows Authentication box is checked.


  1. Click the Security tab.
  2. Select a zone. For example, Local intranet, and then click Custom level.

Security Settings - Local Intranet Zone

  1. In the Settings list, under User Authentication, select one of the following:
    • Automatic logon with current user name and password for a trusted site
    • Automatic logon only in Intranet zone for a site you added to IE's list of Intranet sites


For more information, see your browser's documentation.

  1. Return to the Security tab for Internet Options and set your web server as a trusted site.
  2. Restart Internet Explorer.

Test Authentication

The first test is to determine if Integrated Windows Authentication is working for all domain users. As depicted in the above configuration examples, protect your web pages to be accessible by members of MYDOMAIN\domain^users.

Use Internet Explorer because it supports Integrated Windows Authentication. Verify that the Enable Integrated Windows Authentication box is checked in the Internet Explorer Internet Options dialog on the Advanced tab. Also, make sure the target server is allowed to be trusted in the Intranet Zone.

To Single-Sign-On for a domain user:

  1. Log on to a Windows computer that is joined to the same domain you joined your Linux or Unix system to. Log on as a domain user.
  2. Access the protected web site from Internet Explorer using the host name. This should use Kerberos authentication if the DNS settings for the client and server are configured accurately.
  3. Access the protected web site using the IP address of the server because doing so will result in the Internet Explorer using NTLM for the server. The authentication should succeed without a need to provide a user name and password.