Confluence NTLM plugin not officially supported by Atlassian
Out of the box, Confluence does not support Single Sign On (SSO) functionality. This page describes how to set up Confluence with NTLM SSO functionality using the Confluence NTLM plugin, Crowd, and Active Directory (AD) as your LDAP user repository.
The Confluence NTLM plugin enables the following authentication scenario:
- A user in a Windows domain logs into the Windows network, using their Active Directory username/password.
- Then, when they open Confluence in an Internet Explorer browser, they are seamlessly logged into Confluence.
The Crowd component then allows you to manage all users and groups in Active Directory. Crowd automatically ensures that users and groups are synchronised between AD and Confluence. For example, if a user/group is added/deleted from AD it will be automatically added/deleted from Confluence.
Confluence NTLM plugin
NTLM is the protocol used by Windows for authentication. The Confluence NTLM plugin takes care of the Windows domain / Active Directory login to Confluence. You must be running a Windows Domain Controller with accounts set up in AD in order to use this plugin. If NTLM authentication is not available, the plugin allows standard form-based login to Confluence.
Crowd takes care of the synchronisation of users/groups between Active Directory and Confluence.
Active Directory (AD) on Windows 2003 Server
Active Directory (AD) on Windows 2003 Server — you must already have an AD instance set up and running with a domain controller.
The machine running Confluence must be part of the Windows domain or installed on the same box as the domain controller.
- Back up your Confluence installation files and data:
- Download the Confluence NTLM plugin.
- Install the plugin, following the instructions on the plugin documentation page.
- In the
ldaputil.propertiesfile, insert the appropriate LDAP and Domain Controller information along with other parameters.
- Install and configure Crowd.
- Create a directory in Crowd for the AD LDAP server.
Create the Confluence application in Crowd and configure Crowd and Confluence to talk to each other, as described in Integrating Crowd with Atlassian Confluence.
When following the above instructions, do not change the
seraph-config.xmlfile to enable Crowd's SSO functionality. (I.e. don't change the
authenticatornode to read
<authenticator class="com.atlassian.crowd.integration.seraph.ConfluenceAuthenticator"/>. Instead of Crowd's SSO authentication, we'll be using the Confluence NTLM plugin.
- In AD, create the groups confluence-users and confluence-administrators. They should then appear in Crowd.
- In AD, create an admin user and make them a member of the above groups in AD.
- Create any additional groups that you would like in AD.
- Log in to the Windows domain using your desktop login and then open Confluence in an Internet Explorer browser. You should be logged in automatically.
Additional Crowd Performance Tips
- Change the default cache setting timeout in the file
<CONFLUENCE>\WEB-INF\classes\crowd-ehcache.xml. For performance reasons, increase the object caching to 7,200 seconds (2 hours):
This reduces the frequency of the requests from Crowd to the LDAP server when changes to LDAP objects (such as a group name or user attribute) are made, thus reducing the performance overhead.
- Turn on the 'Use Paged Results' option in the directory connector tab for the directory you've set up in Crowd.