CaveatsDue to the complex nature of this configuration, Atlassian is we are only able to provide support if your configuration satisfies these additional conditions: - Confluence must be installed as a stand-alone Tomcat application server.
- The only supported operating systems for this configuration are Windows Server 2003, Windows Server 2008 and Windows Server 2012.
- The server must be a member of the same Active Directory domain that contains the user records that will be authenticated.
- Confluence must be configured to use LDAP integration to Active Directory for user management.
Additional DependenciesUsing this configuration adds a number of additional dependencies to Confluence, which you should review. Custom Seraph AuthenticatorThis configuration requires the use implementation of a specialized Seraph authenticator for Confluence. Install and configure this component on the server that host Confluence. If you are already using a different custom Seraph authenticator, you may not be able to use this configuration. In this situation, you must either choose a different configuration for the SharePoint Connector or consider developing a new custom Seraph authenticator that aggregates the functionality of both. | Note |
|---|
| title | No support for custom authenticators |
|---|
| Please note that we are unable to provide support for any custom authenticators not written or explicitly supported by Atlassian. |
Custom ISAPI FilterThis configuration requires the use of a custom ISAPI filter for IIS that can communicate using AJP. Install and configure this component on the server that has IIS installed. Atlassian We will only support the use of the open source Tomcat Connector provided by the Apache Tomcat project. | Note |
|---|
| title | Limited support for third-party software |
|---|
| Please note that Atlassian is we are unable to provide in-depth support for problems encountered with the Tomcat Connector, as this software is written and maintained by the Apache Software Foundation. Atlassian We will assist with ensuring the correct configuration values are applied and capturing diagnostic information, but any issues encountered with the Tomcat Connector must be raised through the appropriate channels with the Apache Tomcat project or with another organization that provides commercial support for Tomcat. |
Anonymous Access DisabledDue to limitations with the custom Seraph authenticator that Confluence requires for this configuration, it is not possible to set up anonymous access for Confluence when using this configuration.
Known issuesThese are some reported problems with this configuration: - The user is not able to explicitly log out. Even when they select the logout action, they remain logged-in.
- If you log in using NTLM authentication as a user that does not exist in the AD repository, you will not see the personal menu in Confluence's top navigation bar.
- You cannot fall back to using forms-based authentication or anonymous authentication.
Assumptions- This instruction assume that you install and configure Confluence, Tomcat and IIS on the same server.
- It's possible that you install Tomcat and Confluence on one server and IIS on the different server. The steps are quite similar, there will be a notice at certain steps if the configuration is applicable for more than one server configuration approach.
Installation Instructions| Tip |
|---|
If you have already configured Confluence to connect to your Active Directory domain, then skip ahead to the next step. |
Set up your Confluence server to synchronize its user repository with your Windows Active Directory domain. See the Confluence documentation on LDAP user management. This and following steps guide you through the configuration required to use IIS as an NTLM authenticator for Confluence. NTLM is an authentication format developed by Microsoft. While some third-party implementations are available, IIS provides the most robust and full-featured NTLM authentication support. Summary of this configuration: - It places the Tomcat application server running Confluence behind an IIS website configured for Integrated Windows Authentication.
- IIS is then configured with a custom ISAPI handler that communicates directly with the Tomcat server using Apache JServ Protocol to serve the Confluence content back to the user.
Please follow the guide below that matches the version of your Windows Server: This section of the guide describes the steps necessary to configure Confluence to co-operate with the IIS Web Server. Throughout this section, '%confluence_install%' refers to your Confluence installation directory . Step 3.1: Set Confluence Path- Edit the
%confluence_install%\conf\server.xml file. Find the Context element in the file, and then change the path value to '/confluence'.
The line should look something like this: | Code Block |
|---|
| <Context path="/confluence" docBase="../confluence" debug="0" reloadable="false"> |
- Save your changes and close the file.
- Restart Confluence and verify that it is now accessible from the new path, such as http://localhost:8080/confluence.
Step 3.2: Add AJP ConnectorNow you will change Tomcat's configuration, replacing the standard Coyote HTTP connector (which allows Tomcat to send and receive HTTP traffic) with a custom AJP connector (which allows Tomcat to communicate using Apache JServ Protocol). - Edit the
%confluence_install%\conf\server.xml file. - Locate the Connector element and comment it out entirely.
Add a new Connector element that looks like the one below. The values that must match exactly are address, protocol and tomcatAuthentication: | Code Block |
|---|
| <Connector port="8009" address="127.0.0.1" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" tomcatAuthentication="false" URIEncoding="UTF-8" /> |
| Info |
|---|
If IIS is not located on the same server as Confluence, then the key value pair address should be omitted. <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" tomcatAuthentication="false" URIEncoding="UTF-8" /> |
- Ensure that your
server.xml file now contains only a single Connector definition. You still have the option to have more than one Connector elements definition but in this configuration we recommended that only one Connector element definition is used. - Save your changes and close the file.
- Restart Confluence and ensure that the server initializes successfully.
Step 3.3: Add Custom Authenticator
| Include Page |
|---|
| _Configure Custom Authenticator |
|---|
| _Configure Custom Authenticator |
|---|
|
Step 3.4: Modify Base URLThe final step in configuring Confluence is to modify the Server Base URL to point to the IIS web site, rather than directly to Confluence. This ensures that any hyperlinks generated within Confluence pages will direct users through the IIS website. For example, if your Tomcat server runs Confluence on http://intranet.company.com:8080/confluence and the IIS web site runs on http://intranet.company.com, then the Confluence Base URL needs to be changed to http://intranet.company.com/confluence. See the Confluence documentation for instructions on modifying the Base URL. Step 4. Set Client Browser OptionsIn order for users to be automatically logged in to Confluence without being prompted for their username and password, the browser must be correctly configured for pass-through authentication. Please instruct all users to ensure that the recommended browser settings are applied. |