Integrated Authentication with Firefox and Exchange 2010

With the Exchange 2010 Outlook Web App or OWA, it is possible to use Firefox to access your mailbox. Yes, this was always possible but the premium features were only available for Internet Explorer users. As of now, I could only detect one small difference between Firefox and IE namely the S/MIME functionality. Most users or even admins probably don’t know that it exists as it not often implemented.

I am a frequent user of Firefox and prefer it above IE, especially now with Exchange 2010. However, I am annoyed that I always have to enter my login credentials. That’s another benefit of IE: support for Integrated Authentication on Exchange. When logged in on a windows domain computer, why would you have to also log into the Webmail? You are already authenticated.

But… Firefox also supports Integrated Authentication! It is not configured by default, so this way it doesn’t accidentally present AD authentication information to an Internet server. Internet Explorer can be configured to forcibly recognize intranet domain names via Group Policies.

Just type the following in the Firefox addressbar:

about:config

And edit the following values:

network.negotiate-auth.delegation-uris
network.negotiate-auth.gsslib
network.negotiate-auth.trusted-uris

Just add the internal domain or the FQDN of your Exchange (CAS) server. The change is implemented instantly, but remember this only works on Windows domain computers residing in the same domain or forest as your Exchange Server.

Now I’m investigating whether these settings can be configured centrally via GPO’s or scripts. But that is another challenge as Firefox uses configuration files (prefs.js in the user profile) and no registry settings. If you have figured this out, let me know!

Further Reading:
Mozilla Firefox: Integrated Authentication

Exchange 2010: Configure Integrated Windows Authentication