Firefox only allows Kerberos tokens to sites matching the network.negotiate-auth.trusted-uris list.

This list is comma-separated and may contain wildcards or FQDN names.

Configuring network.negotiate-auth.trusted-uris manually

For testing purposes, you can set network.negotiate-auth.trusted-uris manually by entering about:config in the address bar, then search the setting and enter the list:

Making a Group Policy for network.negotiate-auth.trusted-uris 

On the domain controller, run Group Policy Management (gpmc.msc), and create or locate a policy that contains user objects. 

Create the new Group Policy and edit it after creation

Create a new logon script

Navigate to User Configuration - Policies - Windows Settings - Scripts and open Logon. The logon script may be placed anywhere on a file server or inside the policy itself. 
In this example, firefox-settings.bat and user.js are placed inside the policy itself.


  •  Choose Add.. and then Browse. Windows Explorer will open the path to the Sysvol Policy.

    1 Example: \\example.local\SysVol\example.local\Policies\{2D1CB1B7-F1BD-4CE8-8B3D-2F9FD06A764C}\User\Scripts\Logon
  • Right-click and make a new text document with the following content.
    Save the file as firefox-settings.bat

    1 if exist "%APPDATA%\Mozilla\Firefox" for /D %%F in ("%APPDATA%\Mozilla\Firefox\Profiles\*") do copy /y Example: \\example.local\SysVol\example.local\Policies\{2D1CB1B7-F1BD-4CE8-8B3D-2F9FD06A764C}\User\Scripts\Logon\user.js %%F
  • Create a new file named user.js with the content to match your domain.  (The file must be named user.js) 
    Commas separate multiple names. is treated as *

    1 user_pref("network.negotiate-auth.trusted-uris", ",");
  • Finish the dialogue by opening firefox-settings.bat


The complete policy

Configuring network.negotiate-auth.allow-non-fqdn

In some cases, you may need to set this to 'true' for Firefox to send Kerberos tickets to the site when using short-form URLs.