Setup guide for Integrating Kerberos/NTLM Authentication for Confluence

Kerberos Authentication / Integrated Windows Authentication (IWA) / NTLM gives the end-user access to Confluence without entering user name or password. Kerberos requires client machines to have access to a Key Distribution Center (KDC), which in the Windows world generally means Active Directory. For security reasons, AD is generally not reachable outside the local network/corporate intranet, making Kerberos mainly applicable within a company.

Setup Kerberos Authentication using miniOrange Kerberos Single Sign On/SSO Confluence add on:

Step 1: Create a Service Account

  1. Login to your AD Domain Controller with an administrator account details.
  2. Create a new user account and enable Password never expires option.

add-service-user-account

Step 2: Choose Active Directory

  • In order to allow signing into Confluence from your windows account, your Confluence instance needs you have at least one Active Directory configured.
  • Active Directories can be added as User Directories in Confluence.
  • To add an active directory as a user directory, go to User Management > User Directories > Add Directory.
  • You will need the Hostname or Host address, the Service Account name and Service Account password of your Active Directory.

Once you have verified that the Active Directory has been successfully added, go back to the application. You will see a table with a list of all the configured Active Directories. Use the following steps to generate your keytab file :

  1. Select the Active directory that you wish to use, and then click on Use Selected Directory.
  2. A Keytab Configuration section will be displayed. Enter your Key Distribution Center hostname or IP address in the field provided.
  3. Enter the filename for your keytab file.
  4. Enter the location to which you want to save the keytab file.
  5. Enter the location of your tomcat installation. The location should be the root folder containing the bin and conf folders.
  6. Click on Save.

Step 3: Generate a Keytab file using ktpass

  1. You will need to run ktpass command in order to generate Keytab file, ktpass command is simply formed by filling up required options in the Generate Keytab section.
  2. Open a run administrator command window.
  3. Execute ktpass command.

        

Parameters needed to generate ktpass command.

  • Domain Name: Your LDAP server Domain is your domain name, in dot-separated uppercase format. You can easily identify your Domain name by running echo %USERDNSDOMAIN% on your client machine terminal.
  • Domain Controller Hostname/IP Address: Enter Hostname/IP Address of your Domain Controller (DC) machine. You can use nslookup <domain_name> to get an IP address from your Host Name.
  • Service Principal Name: Service Principal Name would be your Confluence Server Domain name. This must be unique on your Domain Controller.
  • Username: Enter the username of the newly created user. It should be in one of the following formats:
    1. domain\user example:- MINIORANGE\demouser
    2. Full User name with @
  • Password: Enter the password of the newly created user.
  • File Name: Keytab file name. If not set then takes a file name as Kerberos by default.
  • File Location: File Location where you want to save the Keytab file. It should end with “/” OR “\” based on System (Windows, Linux etc).
  • Confluence Server Location: Path name of your Confluence home directory. Specify the base path only.e.g. c:\apache-tomcat or /home/apache-tomcat

Note :- In-case you are hosting your Active Directory in a Linux environment, you will need the ktutil tool in-order to generate the keytab. Once you have installed all the necessary packages for this tool, you can use the command given below to generate the keytab. Replace the placeholders in angular brackets with your AD details(without the angular brackets).

ktutil
 addent -password -p <username>@<MYDOMAIN.COM> -k 1 -e RC4-HMAC
 - <enter password for username> -
 wkt <keytab file name>.keytab
 q

Step 4: Configure Tomcat

  1. Copy .keytab file created on AD Domain Controller (DC) and deploy it on “confluence_home/conf/” directory.
  2. Download the krb5.ini configuration file provided in the plugin and paste it to the “confluence_home/bin/” directory.
  3. Download the JAAS.conf file configuration file provided in the plugin and paste it to the “confluence_home/bin/” directory.
  4. Edit the web.xml file present in the “confluence_home/conf/” directory and include SPNEGO Filter provided in the plugin.

 

Step 5: Enable Kerberos Authentication

Select Enable Kerberos Authentication and click on Save.

 

Setup NTLM Authentication using miniOrange add on:

Step 1: Computer Account Creation

  • Log in on the Domain Controller (DC) with the Administrator user.
  • Create a new computer account.

  • Change password of computer account using this command. The computer account name ends with $

 

Step 2: AD Configuration

Use the following steps to configure AD.

  1. Domain Name (preWindows 2000)): Enter your AD domain name is your NetBios or PreWindows 2000 Name. Please find steps to get NetBiosName here
  2. Domain Controller Host Name/IP Address: Enter your Hostname or IP address of the domain controller machine. Use nslookup <domain_name> to get IP address from your Host Name.
  3. Simple (non-FQDN) Host Name: This is your machine hostname. Run the command hostname on your DC machine to find the simple hostname, e.g. EC2AMAZ-0I8J83M
  4. Computer Account for Connection (Created in Step 1): Computer Account Name should be entered in this format: accountName$@domain.com
  5. Computer Account Password: Enter the password for the above Computer Account
  6. Server Location: Enter the installation directory of your instance. Specify only the base path of the directory. e.g. C:\Atlassian\ or /home/Atlassian/
  7. Click on Save.

 

Step 3: Download Libraries

  • Edit the web.xml file present in “/conf/” directory and include the NTLM filter provided in the plugin.
  •  Click here to download
  • Restart your server to apply the above changes.

 

Step 4: Enable NTLM Authentication

Select Enable NTML Authentication and click on Save.