I run Atlassian’s Confluence in several organizations. It’s a great product and runs on many platforms. Being a Windows admin I tend to stick to the existing Microsoft stack where possible, so I typically run Confluence on Windows against Microsoft SQL Server. The jTDS driver that comes with Confluence wants to use a SQL server user and can’t use NTLM/Windows authentication out of the box. With a few simple changes, we can have Confluence using NTLM auth to connect to SQL Server.
Doesn’t Microsoft Provide a JDBC driver?
They sure do! I used this driver up until very recently. The Microsoft driver supports NTLM/Windows auth and failover partner (for database mirroring).
Unfortunately, it’s not supported by Atlassian. It was working fine for a while, but after a recent upgrade, I noticed that the automatic backups stopped working. Then page comments were failing.
After opening tickets with Atlassian, the determination was that there were bugs in Confluence that caused it not to work with Microsoft’s JDBC driver, but they insisted that they could not offer support for it.
So back to jTDS I went. I still long for the failover partner functionality, but at least I got NTLM working again.
The jTDS Way
When I said that NTLM is not supported out of the box, let me clarify. The driver supports it just fine, but the copy that comes with Confluence doesn’t include the Windows DLL that is needed. We need to get the DLL, put it in place, change the connection string, and change the user that the Confluence service runs as.
Create a Windows/AD User
Confluence will need to be running as a specific user that can authenticate against SQL server and access the Confluence database.
If your SQL server is not on the same machine as Confluence, then both machines should be joined to the same Active Directory domain, and the user you create should be a domain user.
When the user is created, make sure that:
-
The user is not prevented from logging into the server which runs Confluence (logon restrictions, etc.).
-
The user can log into SQL server.
-
The user has access to the Confluence database on SQL server.
Download jTDS for ntlmauth.dll
-
Head over to the jTDS download page and grab the ZIP file.
-
Extract the ZIP and look at the directory structure.
-
There is an
x86
and anx64
directory; choose the one that corresponds to your Confluence installation (if you’re running x86 Confluence on x64 Windows, choose x86). -
Inside, there is an
SSO
directory, which containsntlmauth.dll
. -
Copy this file into your Confluence installation’s
bin
directory.
Change the Configuration
-
Browse to your Confluence data directory.
-
Edit confluence.cfg.xml.
-
- Find the connection URL, which will look something like this:
-
- Change that line so that it looks like this:
-
The
useNTLMv2
property is optional, but I am under the impression that it provides better security. -
- You’ll also find
username
andpassword
fields:
- You’ll also find
- You can remove those properties entirely, or comment them out.
Changing the Service Parameters
To actually get Confluence running as the user you set up earlier, you need to tell the Windows service to run as the user. You can do this any way you like, such as through services.msc or the command line.
I tend to run Confluence on Server Core when possible so I like to use the command line utility sc.exe
:
The spaces between the =
and the parameter are important! Or, with PowerShell:
Testing it Out
At this point you can just restart the service and see if it works. If you would rather see some output and not have to dig through logs, you might consider testing this by running confluence manually.
Just remember that you have to run it as the user you’re setting the service to, not as your administrative user, so don’t just go double clicking startup.bat
to try it out.
You can run a command prompt as your new Windows user to help with this:
This will prompt you for the password of the new user and then open a command prompt as that user. From there, you can run the startup command for Confluence and see what’s going on.
Other Considerations
Since the data directory is kept intact during an upgrade, you shouldn’t have to worry about the config change during an upgrade, but ntlmauth.dll
will be overwritten and need to be replaced. Refer to my post about Confluence and JIRA upgrades for an easy remedy.
To my knowledge there is no way to get that database mirroring failover functionality with jTDS. If you know of a way, I’d love to hear from you!