Setup guide for Integrating Kerberos/NTLM Authentication for Confluence

Setup Guide For Integrating Kerberos/NTLM Authentication For Confluence


Kerberos Authentication / Integrated Windows Authentication (IWA) / NTLM gives the end-user access to Confluence without entering user name or password. Kerberos requires client machines to have access to a Key Distribution Center (KDC), which in the Windows world generally means Active Directory. For security reasons, AD is generally not reachable outside the local network/corporate intranet, making Kerberos mainly applicable within a company.

Pre-requisites

To integrate Kerberos/NTLM Authentication with Confluence, you need the following items:

  • Confluence should be installed and configured.
  • Admin credentials are set up in Confluence.
  • Valid Confluence Server and Data center Licence.

Download And Installation

  • Log into your atlassian instance as admin.
  • Navigate to the settings menu and Click Manage Apps.
  • Click Find new apps or Find new add-ons from the left-hand side of the page.
  • Locate Kerberos/NTLM/Windows SSO for Confluence app.
  • Click Try free to begin a new trial or Buy now to purchase a license.
  • Enter your information and click Generate license when redirected to MyAtlassian.
  • Click Apply license.

Setup Kerberos Authentication using miniOrange Kerberos Single Sign On/SSO Confluence add on:

Step 1: Create a Service Account:

  • Login to your AD Domain Controller with an administrator account details.
  • Create a new user account and enable Password never expires option.
  • Kerberos, NTLM, Windows Authentication (SSO) into Confluence with Integrated Windows Authentication (IWA)

Step 2: Choose Active Directory:

  • In order to allow signing into Confluence from your windows account, your Confluence instance needs you have at least one Active Directory configured.
  • Active Directories can be added as User Directories in Confluence.
  • To add an active directory as a user directory, go to User Management > User Directories > Add Directory.
  • You will need the Hostname or Host address, the Service Account name and Service Account password of your Active Directory.
  • Once you have verified that the Active Directory has been successfully added, go back to the application. You will see a table with a list of all the configured Active Directories. Use the following steps to generate your keytab file :
  • Select the Active directory that you wish to use, and then click on Use Selected Directory.
  • Kerberos, NTLM, Windows Authentication (SSO) into Confluence with Integrated Windows Authentication (IWA)
  • A Keytab Configuration section will be displayed. Enter your Key Distribution Center hostname or IP address in the field provided.
  • Enter the filename for your keytab file.
  • Enter the location to which you want to save the keytab file.
  • Enter the location of your tomcat installation. The location should be the root folder containing the bin and conf folders.
  • Click on Save.
  • Kerberos, NTLM, Windows Authentication (SSO) into Confluence with Integrated Windows Authentication (IWA)

Step 3: Generate a Keytab file using ktpass:

  • You will need to run ktpass command in order to generate Keytab file, ktpass command is simply formed by filling up required options in the Generate Keytab section..
  • Open a run administrator command window.
  • Execute ktpass command.
  • Kerberos, NTLM, Windows Authentication (SSO) into Confluence with Integrated Windows Authentication (IWA)
  • Parameters needed to generate ktpass command.
    • Domain Name: Your LDAP server Domain is your domain name, in dot-separated uppercase format. You can easily identify your Domain name by running echo %USERDNSDOMAIN% on your client machine terminal.
    • Domain Controller Hostname/IP Address: Enter Hostname/IP Address of your Domain Controller (DC) machine. You can use nslookup to get an IP address from your Host Name.
    • Service Principal Name: Service Principal Name would be your Confluence Server Domain name. This must be unique on your Domain Controller.
    • Username: Enter the username of the newly created user. It should be in one of the following formats:
      1. domain\user example:- MINIORANGE\demouser
      2. Full User name with @
    • Password: Enter the password of the newly created user.
    • File Name: Keytab file name. If not set then takes a file name as Kerberos by default.
    • File Location: File Location where you want to save the Keytab file. It should end with “/” OR “\” based on System (Windows, Linux etc).
    • Confluence Server Location: Path name of your Confluence home directory. Specify the base path only.e.g. c:\apache-tomcat or /home/apache-tomcat.
  • Note:

    In-case you are hosting your Active Directory in a Linux environment, you will need the ktutil tool in-order to generate the keytab. Once you have installed all the necessary packages for this tool, you can use the command given below to generate the keytab. Replace the placeholders in angular brackets with your AD details(without the angular brackets).

  • Request: ktutil
    addent -password -p @ -k 1 -e RC4-HMAC
    - -
    wkt .keytab
    q

Step 4: Configure Tomcat:

  • Copy .keytab file created on AD Domain Controller (DC) and deploy it on “confluence_home/conf/” directory.
  • Download the krb5.ini configuration file provided in the plugin and paste it to the “confluence_home/bin/” directory.
  • Download the JAAS.conf file configuration file provided in the plugin and paste it to the “confluence_home/bin/” directory.
  • Edit the web.xml file present in the “confluence_home/conf/” directory and include SPNEGO Filter provided in the plugin.
  • Download spnego.jar file of SPNEGO Filter and paste it in “confluence_home/lib/” directory.

Step 5: Enable Kerberos Authentication:

  • Select Enable Kerberos Authentication and click on Save.
  • Kerberos, NTLM, Windows Authentication (SSO) into Confluence with Integrated Windows Authentication (IWA)

Setup NTLM Authentication using miniOrange add on:

Step 1: Computer Account Creation:

  • Log in on the Domain Controller (DC) with the Administrator user.
  • Create a new computer account.
  • Kerberos, NTLM, Windows Authentication (SSO) into Confluence with Integrated Windows Authentication (IWA)
  • Change password of computer account using this command. The computer account name ends with $.
  • Kerberos, NTLM, Windows Authentication (SSO) into Confluence with Integrated Windows Authentication (IWA)

Step 2: AD Configuration:

Use the following steps to configure AD.

  • Domain Name (preWindows 2000)): Enter your AD domain name is your NetBios or PreWindows 2000 Name. Please find steps to get NetBiosName here.
  • Domain Controller Host Name/IP Address: Enter your Hostname or IP address of the domain controller machine. Use nslookup to get IP address from your Host Name.
  • Simple (non-FQDN) Host Name: This is your machine hostname. Run the command hostname on your DC machine to find the simple hostname, e.g. EC2AMAZ-0I8J83M
  • Computer Account for Connection (Created in Step 1): Computer Account Name should be entered in this format: accountName$@domain.com
  • Computer Account Password: Enter the password for the above Computer Account.
  • Server Location: Enter the installation directory of your instance. Specify only the base path of the directory. e.g. C:\Atlassian\ or /home/Atlassian/
  • Click on Save.

Step 3: Download Libraries:

  • Edit the web.xml file present in “/conf/” directory and include the NTLM filter provided in the plugin.
  • Kerberos, NTLM, Windows Authentication (SSO) into Confluence with Integrated Windows Authentication (IWA)
  • Download libraries.zip file, extract jar files and paste them in “/lib/” directory. Click here to download.
  • Restart your server to apply the above changes.

Step 4: Enable NTLM Authentication:

  • Select Enable NTML Authentication and click on Save.
  • Kerberos, NTLM, Windows Authentication (SSO) into Confluence with Integrated Windows Authentication (IWA)


Our Other Apps: SAML SSO Apps | OAuth Apps | 2FA Apps | Crowd Apps | REST API Apps |
                             Bitbucket Git Authentication App | Kerberos/NTLM Apps | User Sync Apps

If you are looking for anything which you cannot find, please drop us an email on info@xecurify.com