Documentation for Crowd 2.7. Documentation for earlier versions of Crowd is available too.

Skip to end of metadata
Go to start of metadata

Confluence NTLM plugin not officially supported by Atlassian

Icon

The Confluence NTLM plugin was written by a third party. Atlassian does not officially support the plugin. The Atlassian Crowd team will do our best to advise on any Crowd integration problems. Please refer to the plugin documentation for installation instructions and further support.

Out of the box, Confluence does not support Single Sign On (SSO) functionality. This page describes how to set up Confluence with NTLM SSO functionality using the Confluence NTLM plugin, Crowd, and Active Directory (AD) as your LDAP user repository.

Summary

The Confluence NTLM plugin enables the following authentication scenario:

  • A user in a Windows domain logs into the Windows network, using their Active Directory username/password.
  • Then, when they open Confluence in an Internet Explorer browser, they are seamlessly logged into Confluence.

The Crowd component then allows you to manage all users and groups in Active Directory. Crowd automatically ensures that users and groups are synchronised between AD and Confluence. For example, if a user/group is added/deleted from AD it will be automatically added/deleted from Confluence.

Components

Confluence NTLM plugin

NTLM is the protocol used by Windows for authentication. The Confluence NTLM plugin takes care of the Windows domain / Active Directory login to Confluence. You must be running a Windows Domain Controller with accounts set up in AD in order to use this plugin. If NTLM authentication is not available, the plugin allows standard form-based login to Confluence.
Note: This plugin is not officially supported by Atlassian.

Crowd

Crowd takes care of the synchronisation of users/groups between Active Directory and Confluence.
(info)
You will need to create an SSL connection between Crowd and the AD server if you would like to create users through Crowd. AD will not allow Crowd to add users or change their passwords unless the communication occurs over a secure connection.

Active Directory (AD) on Windows 2003 Server

Active Directory (AD) on Windows 2003 Server — you must already have an AD instance set up and running with a domain controller.

Confluence

The machine running Confluence must be part of the Windows domain or installed on the same box as the domain controller.

Steps

  1. Back up your Confluence installation files and data:
    • Confluence Home directory. (See Confluence's Important Directories and Files for how to locate this).
    • Confluence installation directory (if you are using Confluence) or your Confluence webapp (if you are using Confluence EAR-WAR).
    • Your database (if you are not using the embedded database).
  2. Download the Confluence NTLM plugin.
  3. Install the plugin, following the instructions on the plugin documentation page.
  4. In the ldaputil.properties file, insert the appropriate LDAP and Domain Controller information along with other parameters.
  5. Install and configure Crowd.
  6. Create a directory in Crowd for the AD LDAP server.
  7. Create the Confluence application in Crowd and configure Crowd and Confluence to talk to each other, as described in Integrating Crowd with Atlassian Confluence.

    Icon

    When following the above instructions, do not change the seraph-config.xml file to enable Crowd's SSO functionality. (I.e. don't change the authenticator node to read <authenticator class="com.atlassian.crowd.integration.seraph.ConfluenceAuthenticator"/>. Instead of Crowd's SSO authentication, we'll be using the Confluence NTLM plugin.

  8. In AD, create the groups confluence-users and confluence-administrators. They should then appear in Crowd.
  9. In AD, create an admin user and make them a member of the above groups in AD.
  10. Create any additional groups that you would like in AD.
  11. Log in to the Windows domain using your desktop login and then open Confluence in an Internet Explorer browser. You should be logged in automatically.

Additional Crowd Performance Tips

  • Change the default cache setting timeout in the file <CONFLUENCE>\WEB-INF\classes\crowd-ehcache.xml. For performance reasons, increase the object caching to 7,200 seconds (2 hours):
    timeToIdleSeconds="7200" timeToLiveSeconds="7200".
    This reduces the frequency of the requests from Crowd to the LDAP server when changes to LDAP objects (such as a group name or user attribute) are made, thus reducing the performance overhead.

5 Comments

    1. If a user comes in via Confluence (or JIRA) via NTLM, does this mean that other Crowd applications (Fisheye, etc...) are also logged in?
    2. Does this work with a delegated directory? If so, I would assume we could create confluence-users in Crowd if we wanted to.
    1. Bob,

      If you have SSO enabled and the user first accesses JIRA or Confluence to generate the SSO token (via NTML), the user should continue to remain logged in for other Crowd-enabled applications.

      Thanks,
      Donna

      1. Donna,

        The above installation steps say:

        When following the above instructions, do not change the seraph-config.xml file to enable Crowd's SSO functionality

        You wrote above:

        If you have SSO enabled

        These two sound a bit contradicting.

        Why should not we enable Crowd-SSO according to the steps above? What consequences will occur if we do enable it to support Crowd-SSO?

        Thank you,
        Tibor

  1. Does this plugin support Version 2 of the NTLMv2 protocol ?

    1. As far as I am aware this one being based on JCIFS only - doesn't.

      We had to integrate Jira and Confluence with Jespa from IOPLEX.com to achieve NTLMv2 autologin in Crowd-based environment. 6 months into the production use in one of the large New Zealand organizations - everything works perfectly.

      We are planning to repackage our work into a plugin very soon. If you need for NTLMv2 authentication with Confluence and Jira is dire contact us via http://techtime.co.nz see email addresses at the top.