Confluence NTLM plugin not officially supported by Atlassian

The Confluence NTLM plugin was written by a third party. Atlassian does not officially support the plugin. The Atlassian Crowd team will do our best to advise on any Crowd integration problems. Please refer to the plugin documentation for installation instructions and further support.

Out of the box, Confluence does not support Single Sign On (SSO) functionality. This page describes how to set up Confluence with NTLM SSO functionality using the Confluence NTLM plugin, Crowd, and Active Directory (AD) as your LDAP user repository.


The Confluence NTLM plugin enables the following authentication scenario:

  • A user in a Windows domain logs into the Windows network, using their Active Directory username/password.
  • Then, when they open Confluence in an Internet Explorer browser, they are seamlessly logged into Confluence.

The Crowd component then allows you to manage all users and groups in Active Directory. Crowd automatically ensures that users and groups are synchronised between AD and Confluence. For example, if a user/group is added/deleted from AD it will be automatically added/deleted from Confluence.


Confluence NTLM plugin

NTLM is the protocol used by Windows for authentication. The Confluence NTLM plugin takes care of the Windows domain / Active Directory login to Confluence. You must be running a Windows Domain Controller with accounts set up in AD in order to use this plugin. If NTLM authentication is not available, the plugin allows standard form-based login to Confluence.
Note: This plugin is not officially supported by Atlassian.


Crowd takes care of the synchronisation of users/groups between Active Directory and Confluence.
You will need to create an SSL connection between Crowd and the AD server if you would like to create users through Crowd. AD will not allow Crowd to add users or change their passwords unless the communication occurs over a secure connection.

Active Directory (AD) on Windows 2003 Server

Active Directory (AD) on Windows 2003 Server — you must already have an AD instance set up and running with a domain controller.


The machine running Confluence must be part of the Windows domain or installed on the same box as the domain controller.


  1. Back up your Confluence installation files and data:
    • Confluence Home directory. (See Confluence's Important Directories and Files for how to locate this).
    • Confluence installation directory (if you are using Confluence) or your Confluence webapp (if you are using Confluence EAR-WAR).
    • Your database (if you are not using the embedded database).
  2. Download the Confluence NTLM plugin.
  3. Install the plugin, following the instructions on the plugin documentation page.
  4. In the file, insert the appropriate LDAP and Domain Controller information along with other parameters.
  5. Install and configure Crowd.
  6. Create a directory in Crowd for the AD LDAP server.
  7. Create the Confluence application in Crowd and configure Crowd and Confluence to talk to each other, as described in Integrating Crowd with Atlassian Confluence.

    When following the above instructions, do not change the seraph-config.xml file to enable Crowd's SSO functionality. (I.e. don't change the authenticator node to read <authenticator class="com.atlassian.crowd.integration.seraph.ConfluenceAuthenticator"/>. Instead of Crowd's SSO authentication, we'll be using the Confluence NTLM plugin.

  8. In AD, create the groups confluence-users and confluence-administrators. They should then appear in Crowd.
  9. In AD, create an admin user and make them a member of the above groups in AD.
  10. Create any additional groups that you would like in AD.
  11. Log in to the Windows domain using your desktop login and then open Confluence in an Internet Explorer browser. You should be logged in automatically.

Additional Crowd Performance Tips

  • Change the default cache setting timeout in the file <CONFLUENCE>\WEB-INF\classes\crowd-ehcache.xml. For performance reasons, increase the object caching to 7,200 seconds (2 hours):
    timeToIdleSeconds="7200" timeToLiveSeconds="7200".
    This reduces the frequency of the requests from Crowd to the LDAP server when changes to LDAP objects (such as a group name or user attribute) are made, thus reducing the performance overhead.