NTLM and Anonymous Access

If you want to use NTLM with Confluence and also allow anonymous access to Confluence, you will need to carefully consider which approach you use for authentication.

Regardless of the option you will need to enable anonymous access within Confluence (Confluence Admin -> Global Permissions).

Tomcat + IIS Approach

With Configure Confluence to Use a Custom Authenticator and Tomcat + IIS you have two choices:

• Use two ports/URls; one for anonymous users and one for NTLM users
• Develop a custom redirection page within IIS

Using Two Ports/URLs

With this approach you simply send all anonymous users to the Tomcat port (e.g., 8080) and send all NTLM users to the IIS port. If someone uses the anonymous port and tries to access content that is not available to anonymous users, he/she will be presented with the Confluence login page. At that point they can enter their AD credentials, but this is not using NTLM (just AD integration).

Developing a Custom Redirection Page

With this approach everyone uses the IIS URL and the following is done:

• IIS is configured to allow anonymous access.
• A custom page is created within IIS. It could be called login-redirect.aspx in the root of the IIS web. This page would look on the query string for the name "os_destination" and simply perform a redirect to the value for that query string item.
• In IIS, configure the above page to not allow anonymous access.
• The confluence\login.vm file is modified to redirect to a different to the custom page created above (login-redirect.aspx). It would pass along the "os_destination" query string value it was provided on its query string.

JCIFS Approach

With Configure Confluence to Use a Custom Authenticator and JCIFS we haven't dug deep enough to understand how this would be done. There does not appear to be two ports/URLs that you can use, but JCIFS NTLM HTTP Authentication likely provides some clues.