Automatic NTLM Authentication in your browser

Automatic NTLM Authentication in your browser

If you're in an authenticated network environment, an intranet or other workplace environment where you need to authenticate using NTLM, you've probably been frustrated by the situation where you need to enter your windows credentials a dozen or more times a day, even though you're already logged into the network itself, in order to access resources on your corporate intranet - Webmail, time-sheets, documents, HR and probably many others. Why can't the browser just know who you are and authenticate you automatically.

Turns out it can.

Firefox, Chrome/IE do it slightly differently, but it's essentially the same process. You just need to whitelist the domain names you need to allow automatic authentication to, and let windows save your credentials.

IE (and Chrome)

Internet Explorer supports Integrated Windows Authentication (IWA) out-of-the-box, but may need additional configuration due to the network or domain environment.

In Active Directory (AD) environments, the default authentication protocol for IWA is Kerberos, with a fall back to NTLM. Chrome uses windows settings for all of it's security policies, so when you configure IE, chrome will comply and work automatically.

In windows 10 you can simply hit your start button and search for "Internet Options" - It's a control panel menu. Alternatively, you can open Internet Explorer, and select "Settings" (the gear), "Internet Options".
From here, select either Local Intranet or Trusted Sites and click the Sites button to edit the sites options, then click Advanced to edit the list of urls for the zone.
ie-settings
Then, add the domains you'd like to trust for authentication to this list.

That's basically all you have to do. Of course, you also need to have your credentials stored by windows in order to allow automatic authentication. Normally, logging into the network will do this, however if the intranet site or proxy you're connecting to hasn't been used before, you may need to manually add the credentials to windows.

To do this, you simply need to open the "Credential Manager" (either from search, or control panel), Select the Windows Credentials option at the top and add a new credential for the domain you're connecting to. Simple.
credentials

Firefox

Firefox is (comparatively) much easier to configure. Although Firefox supports Kerberos/NTLM authentication protocols, it must be manually configured to work correctly. Firefox doesn't use the concept of security zones like IE, however it won't automatically present credentials to any host unless explicitly configured. By default, Firefox rejects all SPNEGO (Simple and Protected GSS-API Negotiation) challenges from any Web server, including the IWA Adapter. What this means is that you will be presented with a login prompt every time they visit a site that uses this authentication method, even when you are already logged into your network.

Firefox must be manually configured for a whitelist of sites permitted to exchange SPNEGO protocol messages with the browser.

To authenticate Firefox, you have to modify 3 parameters.

  1. Open a new tab and navigate to the page about:config (in the address bar);
  2. Add your uris (separate with ,) in the following 3 parameters:
network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris

and add the URL of your intranet domain, or proxy redirection page, like
https://intranet,https://intranet.neurotechnics.local,https://myproxy.local

  1. Modify signon.autologin.proxy to be true