NTLM and Anonymous Access
NTLM and Anonymous Access Not Supported
There is currently no supported solution that allows anonymous access to Confluence while using NTLM as the authentication method for Confluence.
Unsupported Solutions Will Cause Problems
Some brave souls have suggested the following two solutions, when using Confluence with IIS. Both suggestions are unsupported and both offer problems:
- Use two ports/URls, one for anonymous users and one for NTLM users.
- Develop a custom redirection page within IIS.
(Not Supported) Using Two Ports and Two Base URLs
Beware! Confluence recognizes only one base URL
This approach will cause problems because Confluence cannot recognize 2 base URLs. Therefore you are risking unexpected behavior from Confluence if you allow access via 2 different ports.
With this approach, you would send all anonymous users to the Tomcat port (for example, 8080) and send all NTLM users to the IIS port. If someone uses the anonymous port and tries to access content that is not available to anonymous users, they will be presented with the Confluence login page. At that point they can enter their Active Directory credentials, and are then using Active Directory integration instead of NTLM.
(Not Supported) Developing a Custom Redirection Page
With this approach everyone uses the IIS URL, and IIS is configured to allow anonymous access. Your development team would need to create a custom solution as follows:
- Create a custom page within IIS. It could be called
login-redirect.aspxin the root of the IIS web. This page would examine the query string for the name 'os_destination' and perform a redirect to the value of that query string. - In IIS, configure the above page not to allow anonymous access.
- Modify the
confluence\login.vmfile to redirect to to the custom page created above (login-redirect.aspx). It would pass along the 'os_destination' query string value'.